Hi Paul I'm CC'ing this reply to the dnsop@ list as it is relevant info for others to read too. So I've not quoted your email.
UDP has a header checksum that can notice message modification when in
use. Sometimes this may be 0 if the sender host did not generate a
checksum. This draft adds one in the application layer alongside a nonce
known to the client. Together they are meant to thwart any possibility
of different kinds of off-path cache-poisoning attacks. It is a simpler
lesser form of DNS cookies that goes a little further from the client's
perspective.
If some countermeasures such as source port randomization are either
turned off (perhaps when DNS cookies are in use; typically source port
randomization has a significant performance penalty) or ineffective
perhaps due to NAT, there is a remote possibility of poisoning with IP
fragmentation.
Note that this draft still cannot prevent some kinds of attack such as
response and NS blocking and NS pinning as described in Herzberg and
Shulman's paper (cited in the draft).
There are practical issues with TCP which are still currently prevelant:
1. The 3 way handshake doubles the number of roundtrips necessary before
an answer is received. With iteration, it can result in conspicuously
increased average turnaround time in applications such as web-browsing
as DNS is the starting point. This becomes noticable in a location such
as where I live (India) from where the RTT to many of the
mediumly-popular websites' DNS nameservers is quite high. There are some
efforts to solve this such as TCP fast open, but not widely
deployed. Once the records are cached everything is faster, but a delay
is still a delay. RTT to almost everywhere significant is high from
here. Also, OTOH, use of DNS cookies with UDP itself may require
additional roundtrips.
2. There are concerns on whether using TCP is scalable for DNS. The
dns-dev-coord list was setup to discuss this topic and try to improve
TCP performance across implementations.
But I agree, TCP-only is becoming more and more appealing/relevant with
the number of issues in using UDP.
Mukund
pgpIB6r6jrTol.pgp
Description: PGP signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
