[dns-operations] Massive DNS poisoning attacks in Brazil

Paul Vixie paul at redbarn.org
Wed Oct 3 00:59:15 UTC 2012

On 2012-10-03 12:55 AM, David Conrad wrote:
> On Oct 2, 2012, at 5:49 PM, Vernon Schryver <vjs at rhyolite.com> wrote:
>> The only reasonable solution is to give stub resolvers some of the
>> features of recursive resolvers including DNSSEC validation and caching
>> to make the costs of DNSSEC tolerable.
> Why not get rid of stub resolvers completely and simply use recursive resolvers?

there's an urban legend about how the authority servers depend on
caching by intermediate recursives and that if every end system had its
own recursive server on board the authorities would melt.

the actual truth is that 98.9% of the traffic coming to the roots, and
likely 90% of the traffic coming to authority servers overall, is dreck.
for which they are amply overprovisioned. if we dilute that with more
real traffic it might get the dreck percentage down to 80% but it
wouldn't melt anything.


More information about the dns-operations mailing list