* Stephane Bortzmeyer:
>> it seems T/TCP is dead because of some security issues.
>
> Correct (RFC 4614, section 5) but, unfortunately, these issues were
> apparently never properly documented (no "T/TCP deprecated" RFC) and
> it is hard to find a reference to a description of these security
> problems.
I think it's CERT VU#464113, a TCP implementation problem. Fixing
that (or rather, stopping its use) had the unfortunate side effect of
killing TCP outright. This wasn't considered to be a problem at that
time because API support for T/TCP just wasn't there (and certainly
the situation hasn't changed favorably to T/TCP since then).
Anyway, I think it's possible to run DNS over TCP in a
mostly-stateless fashion if only one wishes to do so. Only the
initiator needs to keep state:
I: sends SYN
R: sends SYN+ACK with cookie (no state is created)
I: sends ACK, with query -- or -- I: sends ACK
I: sends query
-- but not -- I: sends ACK
I: sends length of query
I: sends query
(preventing this requires support from the initiator)
R: validates cookie, sends ACK with response
R: ... continues to send response (possibly ignoring the window size,
which requires cooperation from the initiator)
R: sends FIN, kill the socket (no state has been created so far)
I: receives response and the FIN, kills the socket
There's no conceptual problem with running TCP over DNS. The problem
is that at least one implementor claims not to support TCP well enough
to take the load if it is overused, not that TCP is unsuitable for
short-term connections (the HTTP experience kind of refutes that
anyway).
--
Florian Weimer <[EMAIL PROTECTED]>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
