[arin-ppml] Draft Policy ARIN-2019-2: Waiting List Block Size Restriction

Mark Andrews marka at isc.org
Sun Mar 3 15:27:14 EST 2019



> On 3 Mar 2019, at 4:19 pm, Ronald F. Guilmette <rfg at tristatelogic.com> wrote:
> 
> It's an intersting assertion, although I'm not sure that I see how either
> DKIM or SPF enter into the equation at all.  As I understand it, those are
> verified via DNS (udp/53) and thus should not have an effect on port usage.

DNS falls back to TCP.  You can’t assume all your DNS traffic will be UDP.
Every referral from the root servers to the COM, NET and ORG servers should
over plain DNS should involve TCP.  Not being able to fit glue into a response
should require TC=1 to be set and TCP fallback to occur.

> Callbacks mean your mail server needs to make an outbound SMTP connection
> for each inbound one, and thus, I must conceed that you have a point that
> this might impact total outbound TCP port usage.  But as noted above, this
> likely only becomes an issue when you are already near saturation of the
> available 64k - 2K outbound port numbers, and even in such cases, it seems
> like it should be possible to use single outbound TCP ports for multiple
> outbound SMTP connections, which, if it's actually possible, would pretty
> much solve even that extreme port exhaustion problem.  But I need to make
> some inquiries about that.
> 
> Greylisting just means that your mail server, whan acting in its capacity
> as an SMTP client, may sometimes needs to drop the connection (thus giving
> back the outbound port number it was using) and then try again later, so
> I'm not sure that I see how that affects the calculation either, other
> than that fact that, at scale, it mans your mail server is likely to
> spend a bit more time being a client than it outwise would, i.e. in the
> absence of greylisting.
> 
>>> How many IPv4 port numbers does it take to support DNS service for
>> 10,000 domains?
>> 
>> Only if those domains only request or forward queries for 6 outside
>> references a second.
> 
> Here again, you are starting from the assumption that each -outbound-
> (client side) DNS query needs to have its own unique port number.  I could
> be wrong about this, but I don't believe that that is actually the case,
> even for current gen (or even prior gen) name servers that are already widely
> deployed, and that have been, for many years already.  In fact I seem to
> vaguely recall there being some setting in BIND 9 where the operator could
> instruct the thing to originate -all- outbound queries from a single local
> port number, e.g. UDP port 53.
> 
> Or maybe I'm mis-remembering.

Only if you want to be vulnerable to a Kaminsky style attack.  DNS COOKIE
can allow you to use a single port but it requires both sides to support
DNS COOKIE.  Only 4% of the Alexa Top 1000 DNS servers support DNS COOKIE.
https://ednscomp.isc.org/compliance/ts/alexa.optwhat.html

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org




More information about the ARIN-PPML mailing list