Folks, (Apologies if this has been debated to death already).
At the last IEPG meeting we presented some results regarding the filtering of packets that employ IPv6 extension headers (please see: <http://www.iepg.org/2014-07-20-ietf90/iepg-ietf90-ipv6-ehs-in-the-real-world-v2.0.pdf>). The packet drop rates range from 10% to over 50%, depending on the dataset (FWIW, these packets drops have nothing to do with DNS-specific packet-drops caused by sloppy firewalls or the like). This essentially raises the question of "What's the plan for transporting DNS queries/responses in IPv6?" At different venues (including the IETF), I've received/listened_to different opinions. Quite a few folks usually argue "oh, that's simple: we'll use TCP", while others tend to argue that "one should be careful when thinking about relying on TCP for DNS queries/responses" (e.g. see <http://www.iepg.org/2013-11-ietf88/2013-11-Time-Value-DNS.pdf>). While this issue/question may be currently masqueraded by the fact that we still have IPv4, I wonder what's "the plan" for the IPv6 case (at some point, we'll have to rely on whatever such plan is). If the answer is "fall-back to TCP if UDP doesn't work", my next question would be "does popular DNS server software implement mitigations for TCP-based attacks?" (zero-windows, FIN-WAIT-X flooding, etc.) Thoughts? Thanks! -- Fernando Gont e-mail: [email protected] || [email protected] PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
