[dns-operations] DNS deluge for x.p.ctrc.cc
matt at snark.net
Fri Mar 3 19:20:08 UTC 2006
On Fri, 3 Mar 2006, Paul Vixie wrote:
> i was thinking of the part where i observed that the amount of EDNS0-sized
> data available is fairly small at the moment and is not likely, in the next
> few years, to reach beyond the point where rate-limiting by IP would work,
> whereas the size of the open-recursive population has already grown beyond
> that point.
In case I was missing something, I did a quick poll of one root
nameserver op, and two DNS server authors. They all agreed with my
distaste for rate-limiting as a solution here, and agreed that BCP38
was a much better solution that addresses a much larger problem set.
Ratelimiting does not scale. Some folks could configure their mail
servers to ratelimit inbound SMTP, and it would effectively reduce
the amount of abusive mail they receive. For others, it would bring
their business to a grinding halt. Same for DNS.
Addressing the abuse case of spoofed source address DNS queries as
anything but a _symptom_ is a road to madness.
> i was also thinking of where i said there would be no FUSSP.
I apologise if I seemed to be putting words in your mouth,
especially those. It was certainly not my intent, I have much more
respect for you than that would imply.
--matt at snark.net------------------------------------------<darwin><
The only thing necessary for the triumph
of evil is for good men to do nothing. - Edmund Burke
More information about the dns-operations