subject:"\[dns\-operations\] Force TCP for external queries to Open Resolvers\?"

Re: [dns-operations] Force TCP for external queries to Open Resolvers?

2013-03-31 Thread Paul Wouters


On Sun, 31 Mar 2013, Randy Bush wrote:


if they won't close the open resolver, you think they're gonna force tcp
only?


The open resolvers for the Fedora Project that are used by
dnssec-trigger does exactly that. It only allows TCP.

Not all open resolvers are run by brainless admins. And I believe
open resolvers are crucial to the open nature of the internet.

Paul
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] Force TCP for external queries to Open Resolvers?

2013-03-31 Thread Randy Bush

 if they won't close the open resolver, you think they're gonna force
 tcp only?
 Not all open resolvers are run by brainless admins.

between the brainless and those who don't read mailing lists or update
software, i fear enough will remain to keep us foaming at the mouth like
rabid racoons.

randy
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] Force TCP for external queries to Open Resolvers?

2013-03-31 Thread Stephane Bortzmeyer

On Sun, Mar 31, 2013 at 12:27:05PM -0400,
 Paul Wouters p...@nohats.ca wrote 
 a message of 18 lines which said:

 Not all open resolvers are run by brainless admins. And I
 believe open resolvers are crucial to the open nature of the
 internet.

There are two categories of open resolvers. The vast majority is made
of unmanaged boxes or boxes managed by a clueless and irresponsible
admin.

A very small minority is run by people who know what they are doing
(everyone has his favorite example, let me mention OARC's ODVR
https://www.dns-oarc.net/oarc/services/odvr). That's why RFC 5358 is
careful in its wording and does not say that resolvers MUST NOT be
recursive.

___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] Force TCP for external queries to Open Resolvers?

2013-03-31 Thread Vernon Schryver

 From: Paul Wouters p...@nohats.ca

 Not all open resolvers are run by brainless admins. And I believe
 open resolvers are crucial to the open nature of the internet.

There is a much better case for open SMTP relays, but we all know
how that turned out.

More power to you if you can follow the lead of Google, OpenDNS, and
others in running open resolvers that do not abuse the rest of the
Internet.  However, in real life the history of SMTP relays is being
repeated.  Not only are almost all open resolvers orphans that would
be closed if their owners knew about them, but most intentionally open
resolvers are run by brainless admins with silly delusions of being
competent enough to prevent abuse.
If you (anyone) are running an open resolver and not deluded, then
great!--but just as with SMTP relays, if you are running an open
resolver or relay, you're probably fooling yourself.



] From: Joe Abley jab...@hopcount.ca

] There seems to be an implicit assumption in this thread that when
] we say DNS over TCP, we mean setting up a TCP session and tearing it
] down again once per query.

In practice on the real Internet, that is what will continue to be
so for the forseeable future.  If we could change those 21 million
open resolvers to cache TCP sessions, then we'd also close them and
so not need to pay any of the costs of TCP.


] If instead we imagine persistent pools of TCP connections open between
] stubs and resolvers which are rarely set up or torn down, how is the
] overhead in bandwidth, latency and CPU cycles substantially different
] from UDP?

For the duration of the TCP connection, you use only 3 packets per
request (request, response, and ack unless the ack is piggybacked
on the next request) and so only 50% more bandwidth than UDP.

However, even if you don't think 50% more bandwidth and packets matter,
there are cheaper ways to save enough state to recognize repeat
clients.  Neither the client nor the server need a 100 or 200 byte
TCB for DNS cookies.
https://tools.ietf.org/html/draft-eastlake-dnsext-cookies-03
With DNS cookies, servers don't need to save any state at all.  That
sounds better than expecting the roots to maintain millions of open
TCP connections.


Vernon Schryverv...@rhyolite.com
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] Force TCP for external queries to Open Resolvers?

Re: [dns-operations] Force TCP for external queries to Open Resolvers?

Re: [dns-operations] Force TCP for external queries to Open Resolvers?

Re: [dns-operations] Force TCP for external queries to Open Resolvers?

4 matches

Site Navigation

Mail list logo

Footer information