On May 29, 2009, at 7:33 AM, Francis Dupont wrote:

I don't understand your argument: it seems to apply to UDP over SCTP but here we have SCTP over UDP. BTW the easiest way to convert DNS over UDP into DNS over SCTP is to use an ALG (application layer gateway) which in the DNS is known as a caching server (such servers are already used to provide IPv4/IPv6 transport conversion).

The goal is to apply the SCTP protocol as a means to better protect DNS from source spoofing, resource exhaustion, reflected attack exploitation, and increased latency. SCTP in any form does not prevent deployment of DNSSEC. SCTP might even better facilitate DNSSEC than EDNS0. Use of DNS on SCTP, even when tunneled over UDP, should be explored. The issues related to DDoS risk related to cached macros were presented to various DNS WGs and forums. Unfortunately, this DNS issue earned little respect from the proponents of the protocol using macros and extensive record chaining. The prevalent response was to declare DNS broken by pointing to other aspects of DNS at risk. SCTP seems a reasonable solution in the face of this neglect. Problems are likely to grow much faster than adoption of DNSSEC. In fact, adoption of DNSSEC may make some aspects of DDoS exploitation worse.

Ietf mailing list

Reply via email to