[dns-operations] question for DNS being attacked

Paul Vixie paul at redbarn.org
Thu Jun 28 05:55:49 UTC 2012


On 2012-06-28 5:30 AM, Michael Graff wrote:
> ...
>
> The RLL tech may not be supported by ISC, but the URL http://ss.vix.com/~vixie/isc-tn-2012-1.txt says it is copyright by ISC.

that's my tech note boilerplate. no connotation of support by isc was
intended. oops.

> I still fear this sort of rate limiting (or possibly any major rate limiting that isn't fair-share outgoing bandwidth limiting) can cause other issues, including some security issues.  It may solve the distributed flood using DNS as an amplification, but until I see a write up on exactly how it performs with more than just a description, and a few people outside of the two developers analyze that methodology, I would not use this system in production.

i'll see what i can do.

> Even with the slip values, I still feel this can open a wider window for other forms of attacks against a DNS zone.

"feel" is not a term of art here.

paul



More information about the dns-operations mailing list