[dns-operations] DNS deluge for x.p.ctrc.cc

Matt Ghali matt at snark.net
Fri Mar 3 19:20:08 UTC 2006


On Fri, 3 Mar 2006, Paul Vixie wrote:

> i was thinking of the part where i observed that the amount of EDNS0-sized
> data available is fairly small at the moment and is not likely, in the next
> few years, to reach beyond the point where rate-limiting by IP would work,
> whereas the size of the open-recursive population has already grown beyond
> that point.

In case I was missing something, I did a quick poll of one root 
nameserver op, and two DNS server authors. They all agreed with my 
distaste for rate-limiting as a solution here, and agreed that BCP38 
was a much better solution that addresses a much larger problem set.

Ratelimiting does not scale. Some folks could configure their mail 
servers to ratelimit inbound SMTP, and it would effectively reduce 
the amount of abusive mail they receive. For others, it would bring 
their business to a grinding halt. Same for DNS.

Addressing the abuse case of spoofed source address DNS queries as 
anything but a _symptom_ is a road to madness.

> i was also thinking of where i said there would be no FUSSP.

I apologise if I seemed to be putting words in your mouth, 
especially those. It was certainly not my intent, I have much more 
respect for you than that would imply.

matto

--matt at snark.net------------------------------------------<darwin><
               The only thing necessary for the triumph
               of evil is for good men to do nothing. - Edmund Burke



More information about the dns-operations mailing list