[dns-operations] DNS deluge for x.p.ctrc.cc

Matt Ghali matt at snark.net
Fri Mar 3 21:17:19 UTC 2006

On Fri, 3 Mar 2006, Paul Vixie wrote:

> # Addressing the abuse case of spoofed source address DNS queries as anything
> # but a _symptom_ is a road to madness.
> like geo, you sound as though you know the answer to my oft-repeated question
> but you didn't actually answer it so i'll ask again.  while we work and wait
> for universal BCP38 deployment, should root and TLD operators choose to be
> available to all parties, or available during attacks?  (there's no third
> choice.)

I am nowhere smart enough to have what the answer _is_ for you, but 
have a good idea what the answer _isn't_.

As I am sure you are well aware, there is no process in this 
imperfect world to build a perfect access list, when people are 
involved in the process. At the very least, there is the nonzero 
possibility of false positives. And there will certainly also be 
lawyers involved. Lawyers are expensive. People who run root or TLD 
servers have enough expenses as it is.

I am not comfortable with the idea of any person or group or process 
having the power to unilaterally deny access to root or tld 
nameservers. In a perfect world, we could be reassured that the 
process is perfect, but in that perfect world, we'd never see 
spoofed traffic anyway.

That leaves us with identifying abusive traffic and rate-limiting 
it. While I would be impressed if this could actually occur at the 
rate a root nameserver pod processes requests, it seems to be the 
least evil, and if it is indeed possible, seems to be a good 
stop-gap measure until people stop being bad.

Just please don't put the rate-limiting into BIND :)


--matt at snark.net------------------------------------------<darwin><
               The only thing necessary for the triumph
               of evil is for good men to do nothing. - Edmund Burke

More information about the dns-operations mailing list