[dns-operations] bind-9.9.3rc2 ANY+TCP patch
Jared Mauch
jared at puck.nether.net
Wed May 15 22:57:41 UTC 2013
On May 15, 2013, at 6:52 PM, Vernon Schryver <vjs at rhyolite.com> wrote:
>> This effectively does slip=1 and does away with any amplification and just makes it
>> a pure reflection attack. Still not ideal, but doesn't amplify.
>
> On the contrary, as I just now wrote in the ratelimits mailing list
> http://lists.redbarn.org/mailman/listinfo/ratelimits
> your patch does not affect amplification by authorities.
> For example, if applied to an authority for isc.org,
> `dig +dnssec isc.org any @ams.sns-pb.isc.org'
> would still reflect almost 4 KBytes for each 60 byte ANY request.
The folks that are most concerned with RRL are those expecting queries
from stub resolvers, I think this would mitigate this risk.
- Jared
More information about the dns-operations
mailing list