actually, IoT OS platforms are mostly not stripped versions of linux, most are purpose-built, real time OS's. One of the more popular is RIOT. If you look at the attacks on these OS's, you can look at Miri, the BOT which shows lots of packet love. Concur that you should touch base with RSSAC before deciding to punt traffic to the root servers to reject. The RFC 1918 leaks were bad enough to force the development of the AS112 infrastructure to absorb that traffic so the roots could survive.
So we can make the delegation NOW and declare it unsigned, or we can punt (more) traffic to the roots. Trying to get DNSSEC validation into IoT devices requires code in the end systems... and Elsewhere, Mr. O'Dell said: "Seriously, the crapware contingent squeezes every byte out of the software in those devices, and if somebody cannot show the incremental revenue is a lot bigger than forcing the customer to buy a new one at some point, there's no [dnssec] in them. Remember there is a huge difference between inexpensive and cheap, and when consumer crapware is involved, bet on cheap every time." Now if we want to force the functional equivalent of renal failure on the root servers, then by all means, don't make the delegation and hope nothing leaks out to the public Internet. /Wm On Thu, Dec 15, 2016 at 1:11 PM, John R Levine <jo...@taugh.com> wrote: > On Thu, 15 Dec 2016, Ted Lemon wrote: > >> Billions and billions of them? How often do they query the root, do you >> think, compared to a stub resolver that did recursion itself? >> > > I have no idea, although I do know that IoT devices tend to use stripped > down linux distros. > > In any event, given that most of the root traffic is junk, I wouldn't > think that any plausible increase in non-junk traffic would be noticable. > Queries for TLDs cache really well. You might want to talk to the RSSAC. > > R's, > John > > > >> On Thu, Dec 15, 2016 at 3:57 PM, John R Levine <jo...@taugh.com> wrote: >> >> Putting an iterative resolver in a stub resolver is an attack on the DNS >>> >>>> infrastructure. >>>>> >>>>> >>>> Ted might want to alert all of the BSD and linux distros that default to >>> running a copy of bind or unbound answering queries on 127.0.0.1. >>> >>> Regards, >>> John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY >>> Please consider the environment before reading this e-mail. >>> https://jl.ly >>> >>> _______________________________________________ >>> homenet mailing list >>> homenet@ietf.org >>> https://www.ietf.org/mailman/listinfo/homenet >>> >>> >> > Regards, > John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY > Please consider the environment before reading this e-mail. https://jl.ly > > _______________________________________________ > DNSOP mailing list > dn...@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
_______________________________________________ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
