[dns-operations] bind-9.9.3rc2 ANY+TCP patch

Jared Mauch jared at puck.nether.net
Wed May 15 22:03:10 UTC 2013


On May 15, 2013, at 5:58 PM, John Kristoff <jtk at cymru.com> wrote:

> On Wed, 15 May 2013 17:52:11 -0400
> Jared Mauch <jared at puck.nether.net> wrote:
> 
>> If others want, I can look at putting in a config directive.  It
>> would be possible to add other RRtypes easily enough that should get
>> TCP only that are not commonly used.
> 
> I can speak for others, but I would prefer to use the RRL code already
> pretty well tested and being implemented in various name server
> implementations already.  I would recommend others do so as well.
> 
>  <http://www.redbarn.org/dns/ratelimits>
> 
> Why would someone choose to use your patch over RRL?

Because of the FP ratio presented at the DNS-OARC meeting this
past week.  It's suitable on a recursive resolver, where RRL is most effective
on an authority.

See 

https://indico.dns-oarc.net/indico/getFile.py/access?contribId=4&resId=0&materialId=slides&confId=0

Page #12

This effectively does slip=1 and does away with any amplification and just makes it
a pure reflection attack.  Still not ideal, but doesn't amplify.

- jared


More information about the dns-operations mailing list