[dns-operations] Configurable TC=1?
dns at fl1ger.de
Thu Dec 24 11:22:41 UTC 2015
On 23 Dec 2015, at 19:26, Paul Vixie wrote:
> if your goal is to educate and motivate and improve the breed of
> attackers, then low-end
> solutions which only require a one line code change on their part and
> which preserve the rest
> of their approach intact, are right for you.
My goal is to help people to mitigate attacks. For that I use all of the
> that is not my goal. i want to make dns hard enough to use for
> reflection that the attacker has
> to retool and go to some other protocol. that means attenuation at
> both the BPS and PPS
> level. and it means no RR type filtering.
There are scenarios where RRL just won't work as others have pointed
out. There is no one size fits all solution on security or fighting
attacks and IMHO we should use the toolset we have and of course enhance
it over and over again. I don't see any other way if you are running a
service in the Internet and when you look into history and think about
e.g SMTP or HTTP this was and still is true. This of course applies to
DNS and other services also.
More information about the dns-operations