[dns-operations] bind-9.9.3rc2 ANY+TCP patch
Jared Mauch
jared at puck.nether.net
Wed May 15 22:03:10 UTC 2013
On May 15, 2013, at 5:58 PM, John Kristoff <jtk at cymru.com> wrote:
> On Wed, 15 May 2013 17:52:11 -0400
> Jared Mauch <jared at puck.nether.net> wrote:
>
>> If others want, I can look at putting in a config directive. It
>> would be possible to add other RRtypes easily enough that should get
>> TCP only that are not commonly used.
>
> I can speak for others, but I would prefer to use the RRL code already
> pretty well tested and being implemented in various name server
> implementations already. I would recommend others do so as well.
>
> <http://www.redbarn.org/dns/ratelimits>
>
> Why would someone choose to use your patch over RRL?
Because of the FP ratio presented at the DNS-OARC meeting this
past week. It's suitable on a recursive resolver, where RRL is most effective
on an authority.
See
https://indico.dns-oarc.net/indico/getFile.py/access?contribId=4&resId=0&materialId=slides&confId=0
Page #12
This effectively does slip=1 and does away with any amplification and just makes it
a pure reflection attack. Still not ideal, but doesn't amplify.
- jared
More information about the dns-operations
mailing list