[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record
Rick Jones
rick.jones2 at hp.com
Fri Jun 24 16:54:46 UTC 2011
On 06/24/2011 08:45 AM, David Conrad wrote:
> Hi,
>
> On Jun 24, 2011, at 5:27 AM, Hauke Lampe wrote:
>> It is a nameserver's job to answer all valid queries as fast as
>> possible, filling as much of the client's advertised buffer size
>> as necessary. (That's my opinion, YMMV.)
>
> Assume your authoritative server is getting hit with (say) 100 qps
> for the same name/type. Of what possible benefit is responding to
> all but the first within a TTL?
Is caching "de jure" mandatory in DNS?
> I'm thinking rate limiting responses is a good thing. The problem is
> that it requires more state.
rick jones
More information about the dns-operations
mailing list