QRP is a new protocol that runs as an extra layer on UDP, and aims to solve the various problems with the current standard way of transporting DNS messages.
This is a less formal document than the ITEF draft I have submitted.
Here I'm trying to explain the potential benefits of QRP.
The key difference with QRP compared to TCP or the more modern SCTP is that servers do not retain any connection state or have any timers.
This has several advantages:
(1) It makes denial of service attacks based on exhausting server resources unlikely, because the server state after handling a query is the same as before ( other than extra records in the cache of a recursive server of course ).
(2) The cost of maintaining state information is aligned with the benefit, that is with the client.
(3) It makes it simpler to provision an authoritative server. With TCP, it's hard to know how much memory will be needed for buffering, how long connections should be kept open, etc.
(4) Servers are simpler. The intelligence is where it belongs, in the edge, not the core.
(5) This is how DNS servers work currently : with no state.
After referral to a signed zone, a validating resolver needs to first load the DNSKEY RRset. By using an ANY query with DO=1, a resolver can ensure that all records for a domain are retrieved in a single request.
However with TCP, at least 2 round trips will be needed, with yet another round trip if the transfer is first attempted using UDP+EDNS, assuming truncation occurs. A 2000 byte transfer will typically use 11 packets, ( SYN, SYN+ACK, ACK, Query, ACK, Response1, Response2, ACK, FIN, FIN+ACK, ACK ), or 13 packets if EDNS is tried first.
Note : it's possible to use EDNS with a payload larger than 1400 bytes, but this is quite problematic, due to the risk of the response being lost, or spoofed. In addition, large UDP responses to unverified IP addresses allow amplification attacks against 3rd parties, so in my view are a very bad idea, and should not be allowed.
With QRP, there is a single round trip ( assuming the server token is already known ), and just 3 packets are required.
QRP solves the outstanding security problems of DNS in a clean and complete way.
Importantly, QRP prevents amplification attacks against 3rd parties.
For those who do not need the end-to-end security of DNSSEC, QRP provides good security against spoofing with it's 64-bit ID field.
Where DNSSEC is used, QRP gives protection against denial of service attacks. Reliability is important for DNSSEC, if DNSSEC is not reliable users are likely to disable it, negating any gain in security.
QRP also has provision for strong link-level authentication and encryption.
Finally, QRP might be used to speed up other exchanges, for example browsing the World Wide Web. Slow-start TCP is not a good solution for high-performance browsing.
Please let me know what you think. Is this a good idea or not?
My email is george.barwood@blueyonder.co.uk
George Barwood
October 2009