On Wed, 6 Apr 2005, Peter Koch wrote: > Also, I do not yet understand why > the resolver should "pay" for the server's ID by presenting its own first, > especially since the ID need not be meaningful and may even change over > time.
The client does need to 'pay' to get that information, although I suspect my reasoning is somewhat different than other's. If you have a 'small' option to set on the inbound packet that results in the server's outbound packet being significantly larger due to debugging information, the miscreants will eventually stumble on it as being yet another nifty method by which DNS can be used as an amplification attack against a 3rd party. In the long run, this would result in administrators disabling the debug/identifier 'feature' to avoid being used for such an attack, which is not what we want. It would be better for any debugging solution to have a penalty so it does not get used in such a fashion, and thus administrators leave it enabled. If the penalty is the client handing out _a_ string (preferably with a minimum size), that is acceptable. ( Yes yes, other aspects of DNS can still be used as amplifiers, but theres no point us making it too easy. ) > > b) Agrees with Paul on this change in goals. > > I'd like to have an agreed upon debugging aid *soon*. urm... I'll agree with Paul in (ab)using EDNS0 for client/server ID, because its slightly more elegant than magic-string in the query section, but I don't agree with a complete change in goals for server-id. I'd like to see server-id continue to be used as the case for having a diagnostic interface enabled, to document old practice, and _to contain a pointer to the preferred practice_. Since the last point is missing, don't publish server-id-04 at the present time. ( I don't think publishing-as-RFC a document that says 'something with these properties would be cool, but we don't have that yet' is a good idea. ) > > Silence will be interpreted as "yes" on (a) and "no" on (b). -- Bruce Campbell. . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
