[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record
bortzmeyer at nic.fr
Wed Jun 22 09:38:39 UTC 2011
On Wed, Jun 22, 2011 at 11:31:50AM +0200,
Marco Davids (SIDN) <marco.davids at sidn.nl> wrote
a message of 28 lines which said:
> I always wondered why there is no option to disable ANY-queries on
> an authoritative server.
For .FR, a query on DNSKEY (the largest one) elicits a response which
is 60 % of the size of the ANY response (for .NL, it is more like
40 %). I wonder if it is sufficient mitigation.
More information about the dns-operations