[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record

[Stephane Bortzmeyer]

On Wed, Jun 22, 2011 at 07:17:06AM +0000,
 Dobbins, Roland <rdobbins at arbor.net> wrote 
 a message of 40 lines which said:

> I've run into it in the wild - it's mentioned on p. 54 of the Arbor
> 2010 WISR:

Is there somewhere an existing list of practices which can be used by
authoritative DNSSEC name servers to mitigate the problem? We use nsd
and BIND which, as far as I know, have no rate-limiting
features. Other ideas?