[dns-operations] Limiting DNSSEC-based amplification attacks (Was:Weird TXT record

George Barwood george.barwood at blueyonder.co.uk
Wed Jun 22 10:14:31 UTC 2011

In BIND, configure

udp-max-size 1460

or whatever value you need to stop IP fragmentation.

If your DNSKEY response is less than this, there is no real downside.
If your DNSKEY response is more, there will be a small increase in TCP traffic.

I wish ISC would make this the default value ( instead of 4096 ).


----- Original Message ----- 
From: "Stephane Bortzmeyer" <bortzmeyer at nic.fr>
To: <dns-operations at mail.dns-oarc.net>
Sent: Wednesday, June 22, 2011 8:38 AM
Subject: [dns-operations] Limiting DNSSEC-based amplification attacks (Was:Weird TXT record

> On Wed, Jun 22, 2011 at 07:17:06AM +0000,
> Dobbins, Roland <rdobbins at arbor.net> wrote 
> a message of 40 lines which said:
>> I've run into it in the wild - it's mentioned on p. 54 of the Arbor
>> 2010 WISR:
> Is there somewhere an existing list of practices which can be used by
> authoritative DNSSEC name servers to mitigate the problem? We use nsd
> and BIND which, as far as I know, have no rate-limiting
> features. Other ideas?
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

More information about the dns-operations mailing list