[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record
drc at virtualized.org
Fri Jun 24 15:45:58 UTC 2011
On Jun 24, 2011, at 5:27 AM, Hauke Lampe wrote:
> It is a nameserver's job to answer all valid queries as fast as
> possible, filling as much of the client's advertised buffer size as
> necessary. (That's my opinion, YMMV.)
Assume your authoritative server is getting hit with (say) 100 qps for the same name/type. Of what possible benefit is responding to all but the first within a TTL?
I'm thinking rate limiting responses is a good thing. The problem is that it requires more state.
More information about the dns-operations