[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record

David Conrad drc at virtualized.org
Fri Jun 24 15:45:58 UTC 2011


On Jun 24, 2011, at 5:27 AM, Hauke Lampe wrote:
> It is a nameserver's job to answer all valid queries as fast as
> possible, filling as much of the client's advertised buffer size as
> necessary. (That's my opinion, YMMV.)

Assume your authoritative server is getting hit with (say) 100 qps for the same name/type.  Of what possible benefit is responding to all but the first within a TTL?

I'm thinking rate limiting responses is a good thing.  The problem is that it requires more state.


More information about the dns-operations mailing list