[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record

Stephane Bortzmeyer bortzmeyer at nic.fr
Wed Jun 22 09:38:39 UTC 2011

On Wed, Jun 22, 2011 at 11:31:50AM +0200,
 Marco Davids (SIDN) <marco.davids at sidn.nl> wrote 
 a message of 28 lines which said:

> I always wondered why there is no option to disable ANY-queries on
> an authoritative server.

For .FR, a query on DNSKEY (the largest one) elicits a response which
is 60 % of the size of the ANY response (for .NL, it is more like
40 %). I wonder if it is sufficient mitigation.

More information about the dns-operations mailing list