[dns-operations] DNS deluge for x.p.ctrc.cc
Paul Vixie
paul at vix.com
Fri Mar 3 19:44:27 UTC 2006
# ... I did a quick poll of one root nameserver op, and two DNS server
# authors. They all agreed with my distaste for rate-limiting as a solution
# here, and agreed that BCP38 was a much better solution that addresses a much
# larger problem set.
hell, even i would agree with that. the question is, what should be done
between now (today) and the time (someday) when BCP38 is universally deployed?
# Ratelimiting does not scale. Some folks could configure their mail servers
# to ratelimit inbound SMTP, and it would effectively reduce the amount of
# abusive mail they receive. For others, it would bring their business to a
# grinding halt. Same for DNS.
and yet i know how to make today's routing iron protect me using rate limiting
from an attack that reflects via authoritative nameservers, in a way that an
upstream ISP would be willing to deploy to keep their customers on-line, and
i do not know of a way to do the same thing for attacks which reflects via
open recursive nameservers, and the difference in knowledge/capability here
relates directly to the number of each kind of nameserver (and the number of
attack flows that could therefore result). so it doesn't scale forever, but
as i've said there is no FUSSP. all it has to do is scale well enough to get
us through the time between now and universal BCP38 deployment-- and it would.
# Addressing the abuse case of spoofed source address DNS queries as anything
# but a _symptom_ is a road to madness.
like geo, you sound as though you know the answer to my oft-repeated question
but you didn't actually answer it so i'll ask again. while we work and wait
for universal BCP38 deployment, should root and TLD operators choose to be
available to all parties, or available during attacks? (there's no third
choice.)
# > i was also thinking of where i said there would be no FUSSP.
#
# I apologise if I seemed to be putting words in your mouth, especially
# those. It was certainly not my intent, I have much more respect for you
# than that would imply.
i wasn't offended. it's just that we've been busy here over the last two
weeks, and some of what you started talking about on your first day on the
list had been covered by the archives. i know that pipermail is a rotten
lousy low-grade unserviceable unusable archive service, but it's all we've
got and i hope everyone will make use of it.
More information about the dns-operations
mailing list