[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record
Mark Andrews
marka at isc.org
Wed Jun 22 12:21:20 UTC 2011
In message <4E01B686.1030706 at sidn.nl>, "Marco Davids (SIDN)" writes:
> On 06/22/11 09:38, Stephane Bortzmeyer wrote:
>
> > Is there somewhere an existing list of practices which can be used by
> > authoritative DNSSEC name servers to mitigate the problem? We use nsd
> > and BIND which, as far as I know, have no rate-limiting
> > features. Other ideas?
>
> I always wondered why there is no option to disable ANY-queries on an
> authoritative server.
Because it it a legitimate query. There are applications that make
it and if nothing is cached, recursive servers make it towards
authoritative servers.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list