[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record

Stephane Bortzmeyer bortzmeyer at nic.fr
Wed Jun 22 07:38:11 UTC 2011

On Wed, Jun 22, 2011 at 07:17:06AM +0000,
 Dobbins, Roland <rdobbins at arbor.net> wrote 
 a message of 40 lines which said:

> I've run into it in the wild - it's mentioned on p. 54 of the Arbor
> 2010 WISR:

Is there somewhere an existing list of practices which can be used by
authoritative DNSSEC name servers to mitigate the problem? We use nsd
and BIND which, as far as I know, have no rate-limiting
features. Other ideas?

More information about the dns-operations mailing list