Hi Robert
On Thu, Jun 25, 2020 at 04:07:25PM -0400, Robert Edmonds wrote:
> This seems like a description of a resolver implementation vulnerable to
> the infamous VU#457875. Perhaps an update to the standards track RFC
> 5452 ("Measures for Making DNS More Resilient against Forged Answers")
> would be more appropriate than a new document? That document mentions
> the security problem caused by having multiple outstanding queries for
> the same question but doesn't clearly state a requirement to
> de-duplicate, perhaps because that mitigation was already very common in
> resolver implementations at the time the document was published.
I've been familiar with de-duplication in fctx_match() in BIND (and only
what was the obvious benefit, i.e., just de-duplication of work). I was
not aware of VU#457875; thank you for pointing to it.
The draft describes a query pattern problem. De-duplication of queries
is one mitigation that helps upstream NS query spikes. The spikes on the
resolver side are also a nuisance, and they can be smoothed. It is also
not just one herd - with the popularity of apps, there are several
address queries that happen for names that humans don't normally observe
or enter anywhere, to do with analytics, image webservers, etc. These
are high frequency (TTLs of 60s and under). So the resolver gets hit
again and again by different groups of clients in spikes, whereas they
can be a smoother query curve.
Mukund
signature.asc
Description: PGP signature
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
