On 9/28/2012 2:48 PM, Mark Andrews wrote: > In message <[email protected]>, Tony > Finch writes: >> Mark Andrews <[email protected]> wrote: >>> Server cookies are the way to go though I would add timestamps so >>> that server secrets don't need to be changed. The time stamp would >>> have to be within X seconds of the servers current concept of time >>> or it will be treated as a bad cookie. The time would be concatenated >>> to the rest of the data to be hashed. >> Are you referring to this? >> http://tools.ietf.org/html/draft-eastlake-dnsext-cookies > Yes. It's a reasonable way to identify non-spoofed traffic which > means you can apply filtering techiques to the rest of the traffic > which will be a mix of spoofed and non-spoofed.
i don't agree. there's no way to tell the difference between a client who hasn't upgraded, vs. a client who has downgraded or is behind a NAT box, vs. a spoofer. therefore we will not be able to drop non-cookied queries even while under attacks which spoof the same netblock as we get a non-cookied query from. see RFC 6013, as earlier summarized in ;login: (http://static.usenix.org/publications/login/2009-12/openpdfs/metzger.pdf), for another approach to fixing not just DNS but HTTP state management. paul -- "I suspect I'm not known as a font of optimism." (VJS, 2012) _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
