[dns-operations] Configurable TC=1?

Tony Finch dot at dotat.at
Mon Dec 21 12:29:43 UTC 2015


Anand Buddhdev <anandb at ripe.net> wrote:
>
> These are VERY important points. Paul advocates RRL all the time, and it
> is a useful countermeasure. However, I would go one step further. I
> would say that name servers should simply NOT respond at all over UDP if
> they are queried for a zone they're not authoritative for.

I think this would make it unnecessarily hard to debug delegation
misconfigurations. It's fine to suppress reply traffic if you think
you are under attack, but ignoring legitimate queries isn't helpful.

The intro of Mark's draft is relevant...
https://tools.ietf.org/html/draft-ietf-dnsop-no-response-issue-01

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Viking, North Utsire, South Utsire: Westerly or southwesterly 6 to gale 8,
occasionally severe gale 9 in Viking, perhaps severe gale 9 later elsewhere.
Rough or very rough. Rain or showers. Good, occasionally poor.



More information about the dns-operations mailing list