Hi, Stephane, Thanks so much for your prompt response. Comments in-line...
On 07/28/2014 08:42 AM, Stephane Bortzmeyer wrote: >> This essentially raises the question of "What's the plan for >> transporting DNS queries/responses in IPv6?" > > Why do we need a plan? We serve DNS over IPv6 for now ten years and it > works (not "I think it works" but "it is monitored so I'm certain it > works"). Just curious: How do you check that the UDP-based DNS replies actually get to the node that sent the query? > The problem with extension headers is annoying but, today, > they are not used (of course, it's partially a chicken and egg > problem, similar to the problm of IPv4 options: they are not > transported reliably so people don't use them, so there is no > motivation to make them reliable, etc). Agreed. >> Quite a few folks usually argue "oh, that's simple: we'll use TCP", > > There are many good reasons to use TCP but, in that case, I do not see > why we need it. First, IPv6 users typically don't use extension > headers and, How do you send responses larger than , say, ~1500 bytes without fragmentation? > second, if the problem is in IP, why would changing from > UDP to TCP work? Because TCP can avoid fragmentation. >> does popular DNS server software implement mitigations for TCP-based >> attacks?" (zero-windows, FIN-WAIT-X flooding, etc.) > > Is it something that should be done in every application, and not in > TCP itself? There are some mitigations that can be implemented in the kernel, while others make more sense to implement at the app (yes, it'd be ugly to duplicate code in multiple apps, but....) Thanks, -- Fernando Gont e-mail: [email protected] || [email protected] PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
