[dns-operations] [dDoS] Good discussion on the Rackspace attack and DNS resiliency

James R Cutler james.cutler at consultant.com
Thu Dec 25 00:58:37 UTC 2014


As to, "Yes, that clearly violates the TTL of the rrset, but wouldn't be
over-all better for the health of the internet?”

Absolutely not!  Save us from decisions based on assumptions rather than fact!

If you really believe that decisions based on ignorance are better, set your MTA to pick a recipient for email whenever the left-hand part is unrecognized.  As some others here would do, I also encourage my competitors to follow your idea.


James R. Cutler
James.cutler at consultant.com
PGP keys at http://pgp.mit.edu

> On Dec 24, 2014, at 5:34 PM, Colm MacCárthaigh <colm at stdlib.net> wrote:
> 
> There's a good question embedded in that discussion:  when a resolver
> fails to get an answer from all of the authoritative nameservers for a
> domain, why not use the last known answer, even if it's stale.
> 
> Yes, that clearly violates the TTL of the rrset, but wouldn't be
> over-all better for the health of the internet?
> 
> On Wed, Dec 24, 2014 at 1:56 AM, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
>> 
>> https://news.ycombinator.com/item?id=8784210
>> 
>> After the successful attacks against Rackspace, Namecheap, DNSsimple
>> and 1&1, it is clear that dDoS attacks against DNS servers are very
>> common this winter, and they succeed :-(
>> 
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>> dns-jobs mailing list
>> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> 
> 
> 
> --
> Colm
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

James R. Cutler
James.cutler at consultant.com
PGP keys at http://pgp.mit.edu



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 234 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141224/b4ac838f/attachment.sig>


More information about the dns-operations mailing list