Hi Paul I'm CC'ing this reply to the dnsop@ list as it is relevant info for others to read too. So I've not quoted your email.
UDP has a header checksum that can notice message modification when in use. Sometimes this may be 0 if the sender host did not generate a checksum. This draft adds one in the application layer alongside a nonce known to the client. Together they are meant to thwart any possibility of different kinds of off-path cache-poisoning attacks. It is a simpler lesser form of DNS cookies that goes a little further from the client's perspective. If some countermeasures such as source port randomization are either turned off (perhaps when DNS cookies are in use; typically source port randomization has a significant performance penalty) or ineffective perhaps due to NAT, there is a remote possibility of poisoning with IP fragmentation. Note that this draft still cannot prevent some kinds of attack such as response and NS blocking and NS pinning as described in Herzberg and Shulman's paper (cited in the draft). There are practical issues with TCP which are still currently prevelant: 1. The 3 way handshake doubles the number of roundtrips necessary before an answer is received. With iteration, it can result in conspicuously increased average turnaround time in applications such as web-browsing as DNS is the starting point. This becomes noticable in a location such as where I live (India) from where the RTT to many of the mediumly-popular websites' DNS nameservers is quite high. There are some efforts to solve this such as TCP fast open, but not widely deployed. Once the records are cached everything is faster, but a delay is still a delay. RTT to almost everywhere significant is high from here. Also, OTOH, use of DNS cookies with UDP itself may require additional roundtrips. 2. There are concerns on whether using TCP is scalable for DNS. The dns-dev-coord list was setup to discuss this topic and try to improve TCP performance across implementations. But I agree, TCP-only is becoming more and more appealing/relevant with the number of issues in using UDP. Mukund
pgpIB6r6jrTol.pgp
Description: PGP signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop