[dns-operations] bind-9.9.3rc2 ANY+TCP patch

Jared Mauch jared at puck.nether.net
Wed May 15 22:57:41 UTC 2013

On May 15, 2013, at 6:52 PM, Vernon Schryver <vjs at rhyolite.com> wrote:

>> This effectively does slip=1 and does away with any amplification and just makes it
>> a pure reflection attack.  Still not ideal, but doesn't amplify.
> On the contrary, as I just now wrote in the ratelimits mailing list
> http://lists.redbarn.org/mailman/listinfo/ratelimits
> your patch does not affect amplification by authorities.
> For example, if applied to an authority for isc.org, 
> `dig +dnssec isc.org any @ams.sns-pb.isc.org'
> would still reflect almost 4 KBytes for each 60 byte ANY request.

The folks that are most concerned with RRL are those expecting queries
from stub resolvers, I think this would mitigate this risk.

- Jared

More information about the dns-operations mailing list