[dns-operations] Massive DNS poisoning attacks in Brazil
Paul Vixie
paul at redbarn.org
Wed Oct 3 00:59:15 UTC 2012
On 2012-10-03 12:55 AM, David Conrad wrote:
> On Oct 2, 2012, at 5:49 PM, Vernon Schryver <vjs at rhyolite.com> wrote:
>> The only reasonable solution is to give stub resolvers some of the
>> features of recursive resolvers including DNSSEC validation and caching
>> to make the costs of DNSSEC tolerable.
> Why not get rid of stub resolvers completely and simply use recursive resolvers?
there's an urban legend about how the authority servers depend on
caching by intermediate recursives and that if every end system had its
own recursive server on board the authorities would melt.
the actual truth is that 98.9% of the traffic coming to the roots, and
likely 90% of the traffic coming to authority servers overall, is dreck.
for which they are amply overprovisioned. if we dilute that with more
real traffic it might get the dreck percentage down to 80% but it
wouldn't melt anything.
paul
More information about the dns-operations
mailing list