[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record

Rick Jones rick.jones2 at hp.com
Fri Jun 24 23:22:20 UTC 2011

On 06/24/2011 04:15 PM, David Conrad wrote:
> Rick,
> On Jun 24, 2011, at 11:49 AM, Rick Jones wrote:
>> That depends on how reasonable/legitimate it is felt to toss the
>> baby of a non-caching resolver talking to an authoritative server
>> out with the bathwater of an attack.
> I'm curious: can you point to a non-caching resolver with non-trivial
> deployment?  (Not denying they exist, honestly curious).

I was thinking more along the lines of an end-system pointed directly at
an authoritative server and probably should have said so. I probably had 
"resolver library" in my brain while I was typing. Though perhaps in an 
"operational" context that is something that is indeed either 
"prohibited" or "really, Really, REALLY discouraged."

the ever fun distinctions between "can," "may," and "should."

More information about the dns-operations mailing list