On Thu, Aug 25, 2016 at 9:23 AM, Tony Finch <d...@dotat.at> wrote: > william manning <chinese.apri...@gmail.com> wrote: > >> On Thursday, 25 August 2016, Tony Finch <d...@dotat.at> wrote: >> >> > william manning <chinese.apri...@gmail.com <javascript:;>> wrote: >> > >> > > I'm with Ed here, A valid response is silence. >> > >> > I think it is important for people producing and deploying DNS server >> > software and DNS-interfering middleboxes to understand the bad >> > consequences of dropping queries or responses. If you understand these >> > effects and still think you can improve things by dropping packets, then >> > maybe go ahead. But it isn't a simple valid / invalid binary choice. >> >> Where does the "badness" occur? The server or resolver? > > Both. The resolver suffers extra latency; the server suffers extra traffic > - even a well-behaved resolver has to retry in this situation. > >> The rational for a server to silently ignore a query often revolves >> around malformed queries ... Should a server attempt to answer >> malformed queries or silently drop them? > > See section 7 of the draft. It would be reasonable to rate-limit > responses. > > This kind of nuance is what this draft should discuss. > > Tony.
+1, there are other implications besides performance. For example attacker can silence the NS for victim (either on path or off path with spoofed source subnet). If successful, the attacker doesn't have to race NS->victim RTT anymore for successful cache poisoning. Marek > -- > f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode > Trafalgar: In southeast, cyclonic, mainly easterly 6 to gale 8. In northwest, > northerly or northeasterly 5 or 6, occasionally 7 later. Moderate or rough. In > southeast, showers. In northwest, thundery showers. In southeast, moderate or > good. In northwest, good occasionally poor. > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
