[dns-operations] bind-9.9.3rc2 ANY+TCP patch
Jared Mauch
jared at puck.nether.net
Wed May 15 22:27:40 UTC 2013
One more comment: This patch only impacts recursive servers, not authorities.
They won't set TC=1 for an ANY query.
- Jared
On May 15, 2013, at 6:03 PM, Jared Mauch <jared at puck.nether.net> wrote:
>
> On May 15, 2013, at 5:58 PM, John Kristoff <jtk at cymru.com> wrote:
>
>> On Wed, 15 May 2013 17:52:11 -0400
>> Jared Mauch <jared at puck.nether.net> wrote:
>>
>>> If others want, I can look at putting in a config directive. It
>>> would be possible to add other RRtypes easily enough that should get
>>> TCP only that are not commonly used.
>>
>> I can speak for others, but I would prefer to use the RRL code already
>> pretty well tested and being implemented in various name server
>> implementations already. I would recommend others do so as well.
>>
>> <http://www.redbarn.org/dns/ratelimits>
>>
>> Why would someone choose to use your patch over RRL?
>
> Because of the FP ratio presented at the DNS-OARC meeting this
> past week. It's suitable on a recursive resolver, where RRL is most effective
> on an authority.
>
> See
>
> https://indico.dns-oarc.net/indico/getFile.py/access?contribId=4&resId=0&materialId=slides&confId=0
>
> Page #12
>
> This effectively does slip=1 and does away with any amplification and just makes it
> a pure reflection attack. Still not ideal, but doesn't amplify.
>
> - jared
More information about the dns-operations
mailing list