[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record

Robert Edmonds edmonds at isc.org
Fri Jun 24 23:44:09 UTC 2011


David Conrad wrote:
> On Jun 24, 2011, at 11:49 AM, Rick Jones wrote:
> > That depends on how reasonable/legitimate it is felt to toss the
> > baby of a non-caching resolver talking to an authoritative server
> > out with the bathwater of an attack.
> 
> I'm curious: can you point to a non-caching resolver with non-trivial
> deployment?  (Not denying they exist, honestly curious).

djb's dnscache without a patch does not cache SOA records.

dnsmasq, while a forwarding cache and not actually a resolver, only
caches rrtypes A, AAAA, CNAME, and PTR.

-- 
Robert Edmonds
edmonds at isc.org



More information about the dns-operations mailing list