[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record

Mark Andrews marka at isc.org
Wed Jun 22 12:21:20 UTC 2011

In message <4E01B686.1030706 at sidn.nl>, "Marco Davids (SIDN)" writes:
> On 06/22/11 09:38, Stephane Bortzmeyer wrote:
> > Is there somewhere an existing list of practices which can be used by
> > authoritative DNSSEC name servers to mitigate the problem? We use nsd
> > and BIND which, as far as I know, have no rate-limiting
> > features. Other ideas?
> I always wondered why there is no option to disable ANY-queries on an
> authoritative server.

Because it it a legitimate query.  There are applications that make
it and if nothing is cached, recursive servers make it towards
authoritative servers.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list