[dns-operations] bind-9.9.3rc2 ANY+TCP patch

Jared Mauch jared at puck.nether.net
Wed May 15 22:27:40 UTC 2013


One more comment:  This patch only impacts recursive servers, not authorities.

They won't set TC=1 for an ANY query.

- Jared

On May 15, 2013, at 6:03 PM, Jared Mauch <jared at puck.nether.net> wrote:

> 
> On May 15, 2013, at 5:58 PM, John Kristoff <jtk at cymru.com> wrote:
> 
>> On Wed, 15 May 2013 17:52:11 -0400
>> Jared Mauch <jared at puck.nether.net> wrote:
>> 
>>> If others want, I can look at putting in a config directive.  It
>>> would be possible to add other RRtypes easily enough that should get
>>> TCP only that are not commonly used.
>> 
>> I can speak for others, but I would prefer to use the RRL code already
>> pretty well tested and being implemented in various name server
>> implementations already.  I would recommend others do so as well.
>> 
>> <http://www.redbarn.org/dns/ratelimits>
>> 
>> Why would someone choose to use your patch over RRL?
> 
> Because of the FP ratio presented at the DNS-OARC meeting this
> past week.  It's suitable on a recursive resolver, where RRL is most effective
> on an authority.
> 
> See 
> 
> https://indico.dns-oarc.net/indico/getFile.py/access?contribId=4&resId=0&materialId=slides&confId=0
> 
> Page #12
> 
> This effectively does slip=1 and does away with any amplification and just makes it
> a pure reflection attack.  Still not ideal, but doesn't amplify.
> 
> - jared




More information about the dns-operations mailing list