[dns-operations] question for DNS being attacked
Paul Vixie
paul at redbarn.org
Thu Jun 28 05:55:49 UTC 2012
On 2012-06-28 5:30 AM, Michael Graff wrote:
> ...
>
> The RLL tech may not be supported by ISC, but the URL http://ss.vix.com/~vixie/isc-tn-2012-1.txt says it is copyright by ISC.
that's my tech note boilerplate. no connotation of support by isc was
intended. oops.
> I still fear this sort of rate limiting (or possibly any major rate limiting that isn't fair-share outgoing bandwidth limiting) can cause other issues, including some security issues. It may solve the distributed flood using DNS as an amplification, but until I see a write up on exactly how it performs with more than just a description, and a few people outside of the two developers analyze that methodology, I would not use this system in production.
i'll see what i can do.
> Even with the slip values, I still feel this can open a wider window for other forms of attacks against a DNS zone.
"feel" is not a term of art here.
paul
More information about the dns-operations
mailing list