[dns-operations] Interesting messages in our logs
Phillip Hallam-Baker
phill at hallambaker.com
Sat Nov 1 20:08:56 UTC 2014
On Sat, Nov 1, 2014 at 1:21 PM, Paul Vixie <paul at redbarn.org> wrote:
>
> what we've learned from random-subdomain flood attacks is that the
> nxdomain limit (in BIND9 that's nxdomains-per-second) and the slip ratio
> both have to be higher than we thought. at the moment i'm going to say
> nxdomains-per-second of at least 20, and a slip ratio of 5.
>
> This sort of control is of course what distinguishes a prototype
implementation of a service from deployment grade.
One of the concerns I have about approaches to DPRIVE is that they tend to
start from the DNS specification and add security to that model rather than
look at real world implementations.
It is really easy to assume away the hard problems. I want to get
authentication into the client-resolver loop so that we have a
cryptographic enforcement mechanism for abuse control rather than relying
on heuristics.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141101/116a3ac6/attachment.html>
More information about the dns-operations
mailing list