[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record

Marco Davids (SIDN) marco.davids at sidn.nl
Wed Jun 22 09:31:50 UTC 2011

On 06/22/11 09:38, Stephane Bortzmeyer wrote:

> Is there somewhere an existing list of practices which can be used by
> authoritative DNSSEC name servers to mitigate the problem? We use nsd
> and BIND which, as far as I know, have no rate-limiting
> features. Other ideas?

I always wondered why there is no option to disable ANY-queries on an
authoritative server.

Unless I am missing something here, it should be safe to return a
REFUSED for them (I was told that Postfix is using them for some obscure
reason, so maybe I am talking rubbish here).

In any case, disallowing ANY-queries *might* perhaps be considered in
the combat against DNSSEC based amplification attacks.



More information about the dns-operations mailing list