In message <20121121084640.0d470d3a@localhost>, John Kristoff writes: > On Wed, 21 Nov 2012 14:19:02 +0000 > Tony Finch <[email protected]> wrote: > > > I doubt it would provide any advantage compared to DNS over TCP. > > Your doubt isn't very convincing to me, but I'm not inclined to argue > too strenuously that it would be worth doing in lieu of just utilizing > TCP. Nevertheless, I would certainly be interested in experimenting > with a DNS over DCCP implementation if someone builds it. > > > You can't fix an attack by inviting the attackers to change to a more > > well-behaved protocol. > > The annoying source spoofed attacks that result in reflection and > amplification, and to the degree that they are actually happening in > the wild or not the Kaminsky-style cache poisoning, would help address > the problem if something like DCCP were to supplant UDP.
Moving off UDP would take decades and there is no need to do so. We have the ability to defeat amplification attacks today continuing to use UDP as a transport and not breaking older clients. It only a matter of deploying the technology. Legacy clients get sent to TCP as a transport (one can set a acceptable amplification threshold/respone size to trigger on). Updated clients continue to use UDP after establishing that there is a two way path. > Note, there are a number of services over UDP that might benefit from > a change away from UDP for similar reasons. Architecturally DCCP seems > to make more sense to me than the heavier TCP-based or > application-specific solution like than Donald Eastlake's draft Paul > pointed to, but I realize deep architectural changes are unlikely. > > John > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > dns-jobs mailing list > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
