[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record

Rick Jones rick.jones2 at hp.com
Fri Jun 24 17:37:31 UTC 2011

On 06/24/2011 10:10 AM, David Conrad wrote:
> Rick,
> On Jun 24, 2011, at 6:54 AM, Rick Jones wrote:
>>> Assume your authoritative server is getting hit with (say) 100
>>> qps for the same name/type.  Of what possible benefit is
>>> responding to all but the first within a TTL?
>> Is caching "de jure" mandatory in DNS?
> An interesting question. Not much case law in DNS I'm aware of.

OK, perhaps my (ab)using "de jure" was setting myself up for that... 
The question was do the RFCs covering DNS require caching of responses?

rick jones

> From my perspective, if an authoritative server provides an answer,
> I would think it could be reasonably assumed that the answer should
> be considered valid for the duration of the TTL.  Of course, there
> are cases in which the requester doesn't receive the answer or it
> loses its cache, so responding to "reasonable" retransmits would be
> appropriate.  I have difficulty seeing (say) 100 qps being a
> reasonable retransmit strategy.
> Regards, -drc

More information about the dns-operations mailing list