[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record

Rick Jones rick.jones2 at hp.com
Fri Jun 24 16:54:46 UTC 2011

On 06/24/2011 08:45 AM, David Conrad wrote:
> Hi,
> On Jun 24, 2011, at 5:27 AM, Hauke Lampe wrote:
>> It is a nameserver's job to answer all valid queries as fast as
>> possible, filling as much of the client's advertised buffer size
>> as necessary. (That's my opinion, YMMV.)
> Assume your authoritative server is getting hit with (say) 100 qps
> for the same name/type.  Of what possible benefit is responding to
> all but the first within a TTL?

Is caching "de jure" mandatory in DNS?

> I'm thinking rate limiting responses is a good thing.  The problem is
> that it requires more state.

rick jones

More information about the dns-operations mailing list