[dns-operations] Geoff Huston on DNS-over-TCP-only study.
vjs at rhyolite.com
Wed Aug 21 13:44:51 UTC 2013
disappointed me with this characterization of RRL:
There is a conversation thread that says that resolvers should
implement response rate limiting (RRL), and silently discard
repetitive queries that exceed some locally configured threshold.
That ignores the "slip" parameter. That is irritating given the
relevant implications of slip=2 as the default in one RRL implementation
and the popular alternative of slip=1.
I was also disappointing that it failed to mention the crushing
costs of DNS/TCP.
And I was disappointed by its failure to mention DNS cookies as
a potential alternative to mitigating reflection attacks with DNS/TCP.
On othe other hand, I'm not sure that the article was intended to
advocate using DNS/TCP all of the time instead of only during attacks
or even only during attacks. 2% or 17% failure rates are significant.
Vernon Schryver vjs at rhyolite.com
More information about the dns-operations