[dns-operations] DNS deluge for x.p.ctrc.cc
matt at snark.net
Fri Mar 3 21:17:19 UTC 2006
On Fri, 3 Mar 2006, Paul Vixie wrote:
> # Addressing the abuse case of spoofed source address DNS queries as anything
> # but a _symptom_ is a road to madness.
> like geo, you sound as though you know the answer to my oft-repeated question
> but you didn't actually answer it so i'll ask again. while we work and wait
> for universal BCP38 deployment, should root and TLD operators choose to be
> available to all parties, or available during attacks? (there's no third
I am nowhere smart enough to have what the answer _is_ for you, but
have a good idea what the answer _isn't_.
As I am sure you are well aware, there is no process in this
imperfect world to build a perfect access list, when people are
involved in the process. At the very least, there is the nonzero
possibility of false positives. And there will certainly also be
lawyers involved. Lawyers are expensive. People who run root or TLD
servers have enough expenses as it is.
I am not comfortable with the idea of any person or group or process
having the power to unilaterally deny access to root or tld
nameservers. In a perfect world, we could be reassured that the
process is perfect, but in that perfect world, we'd never see
spoofed traffic anyway.
That leaves us with identifying abusive traffic and rate-limiting
it. While I would be impressed if this could actually occur at the
rate a root nameserver pod processes requests, it seems to be the
least evil, and if it is indeed possible, seems to be a good
stop-gap measure until people stop being bad.
Just please don't put the rate-limiting into BIND :)
--matt at snark.net------------------------------------------<darwin><
The only thing necessary for the triumph
of evil is for good men to do nothing. - Edmund Burke
More information about the dns-operations