[dns-operations] Amplification attack today ?

[Paul Vixie]

> If I understand the proposal well, the purpose of the blocking by the
> root-servers is to make the "open recursors" aware of the fact that  they
> are 'open' by denying them service. So all this work would be a  public
> service.

that's my understanding also.

> Still John's argument holds. It is not realistic for the root-servers  to
> query the DNS 40.000 times per second to see if it should deny  service to
> the resolver contacting it. Even when it would be possible  to maintain the
> blacklist locally I do not think the root-servers  should be playing
> internet police.

it would have to be done by bgp blackholes rather than dns blackholes.  and
since it's a public service rather than a real time operational shield, there
could be a simple rotation of "1000 at a time", perhaps changed every hour or
every day.

> And just as with mail-blacklists the folk that are the false  positives
> will suffer badly.

yes.

> I am ready to dismiss this idea.

as a rootop, so am i.  but as an operator of the vix.com server, i'd be 
willing to consider it.  on the internet, there is no growth without pain.