[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record

[Stephane Bortzmeyer]

On Wed, Jun 22, 2011 at 11:31:50AM +0200,
 Marco Davids (SIDN) <marco.davids at sidn.nl> wrote 
 a message of 28 lines which said:

> I always wondered why there is no option to disable ANY-queries on
> an authoritative server.

For .FR, a query on DNSKEY (the largest one) elicits a response which
is 60 % of the size of the ANY response (for .NL, it is more like
40 %). I wonder if it is sufficient mitigation.