[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record

David Conrad drc at virtualized.org
Fri Jun 24 17:10:19 UTC 2011


On Jun 24, 2011, at 6:54 AM, Rick Jones wrote:
>> Assume your authoritative server is getting hit with (say) 100 qps
>> for the same name/type.  Of what possible benefit is responding to
>> all but the first within a TTL?
> Is caching "de jure" mandatory in DNS?

An interesting question. Not much case law in DNS I'm aware of. From my perspective, if an authoritative server provides an answer, I would think it could be reasonably assumed that the answer should be considered valid for the duration of the TTL.  Of course, there are cases in which the requester doesn't receive the answer or it loses its cache, so responding to "reasonable" retransmits would be appropriate.  I have difficulty seeing (say) 100 qps being a reasonable retransmit strategy.


More information about the dns-operations mailing list