[dns-operations] Limiting DNSSEC-based amplification attacks (Was: Weird TXT record
Robert Edmonds
edmonds at isc.org
Fri Jun 24 23:44:09 UTC 2011
David Conrad wrote:
> On Jun 24, 2011, at 11:49 AM, Rick Jones wrote:
> > That depends on how reasonable/legitimate it is felt to toss the
> > baby of a non-caching resolver talking to an authoritative server
> > out with the bathwater of an attack.
>
> I'm curious: can you point to a non-caching resolver with non-trivial
> deployment? (Not denying they exist, honestly curious).
djb's dnscache without a patch does not cache SOA records.
dnsmasq, while a forwarding cache and not actually a resolver, only
caches rrtypes A, AAAA, CNAME, and PTR.
--
Robert Edmonds
edmonds at isc.org
More information about the dns-operations
mailing list