At Fri, 8 Feb 2019 00:39:27 +0530, Mukund Sivaraman <m...@mukund.org> wrote:
> > The draft doubles the number of packets involved in a legitimate > > exchange; it more than doubles the number of packets involved in a > > spoofed exchange. About half of these packets are ICMP > > packets. Without the draft, ICMP packets are useful debugging aids, > > and in big numbers, indications of attacks or operational > > problems. With the draft, ICMP becomes another useless source of > > background noise. > > I had implemented the draft about a year ago as a server-side patch for > BIND so that it could be tried/tested. But I was not aware of the ICMP > issue that you mentioned. Today I looked at a packet capture with ATR > response and sure enough, the 2nd truncated response generates an ICMP > message from the recipient. I agree that this would be noisy. Probably off topic in the context of the adoption call, but I'd note that it depends on some implementation details of the resolver. ICMP port unreachable errors will be likely to be increased if the resolver closes the UDP socket for a query with an authoritative server immediately after it receives a return packet. BIND behaves that way by default, so did PowerDNS recursor when I checked the implementation many years ago (it probably still does). But not all resolver implementations adopt this practice; if I understand it correctly Unbound uses a pool of (many) UDP sockets and reuse the same socket for multiple queries. I've not tested it myself but I believe you won't see an increase of ICMP errors with such resolver implementations. -- JINMEI, Tatuya
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop