[dns-operations] Looking for a public blackhole/sinkhole IP address

Cathy Almond cathya at isc.org
Fri Nov 28 09:49:13 UTC 2014


On 27/11/2014 15:38, Warren Kumari wrote:

>>  That seems to be a much different use case (drop
>> the traffic as quickly and universally as possible, minimizing
>> collateral damage) from routing the traffic to something like a
>> community sinkhole.
> 
> Yes -- and the whole point of this plan would provide the "as quickly
> and universally as possible". The theory (hope) is that *most* people
> will spin up this prefix and null route it, preferably on their edges.
> Perhaps "community sinkhole^Wblackhole" is the wrong term / conjures
> up the wrong image, and "universal blackhole" would be better.
> What we are aiming for / proposing is a "toss this as soon as
> possible", not "route to a small number of sinkholes run by some
> volunteers". The incentive model here is that, the more people who do
> this, the more useful it is -- and so, one day when *I* need it, it
> will be available. This might suffer from a tragedy of the commons
> type problem - I'll just hope that other folk do it, so I don't need
> to sink the badness. One nice property that this has versus something
> like BGP38 / SAVE is that it is very easy to tell if your peers are
> not doing it -- and so you could easily include it in peering /
> provider contracts.
> What would be really nice (IMO) is, if we get consensus on this, to
> recommend that router's do this automagically (with a turn off knob) -
> there are already a number of "special" prefixes that some devices
> handle (127/8, 169.254.0.0/16, 240/4, etc) - having a default <this
> prefix>/24 -> discard in devices would make it so that the very first
> devices seeing the traffic would dump it.
> 
> 
> W
> [*]: Actually, it's unclear if this would have worked for [0] and [1]
> - you might need some more granularity than "Aaargh, make this stop!"

With the point being 'Aaargh, make this stop!', I like the special
discard prefixes idea in routers to which zone admins can 'delegate'
(i.e. NS records with glue pointing to them).

And anyway, local blackholes are surely better for eliminating unwanted
traffic?  Catch and drop the traffic at source, because it's headed for
the 'well-known blackhole' address.

But how about (since this is about DNS), having something similar within
the DNS namespace - a well-known nameserver name to which you can
delegate that is understood by all resolvers to mean "don't look any
further, don't attempt to get the addresses for the name - just
immediately SERVFAIL any more requests for the TTL of this NS record"?
(Or say, for that particular DNS server's implementation of lame server
cache period?)

Cathy




More information about the dns-operations mailing list