[dns-operations] DNS greylisting?

[Florian Weimer]

* Paul Vixie:

> if large numbers of nonmalicious queries are forced to use TCP, then a
> malfeasant can deny service for those queries by attacking the TCP quota
> and connection management logic in the nameserver.

The idea is to use SYN cookies to whitelist "good" addresses, without
keeping too much state servers-side.  You can use CNAME RRs to
implement pure UDP-based cookies, by the way.  (Riverhead applied for
a patent on such techniques, IIRC.)