[dns-operations] Configurable TC=1?

Paul Vixie paul at redbarn.org
Fri Dec 25 02:09:24 UTC 2015


On Thursday, December 24, 2015 12:22:41 PM Ralf Weber wrote:
> Moin!

Gack!

> My goal is to help people to mitigate attacks. For that I use all of the
> available tools.

every time we use an incrementally just-good-enough tool to stop attackers, we educate 
them without demotivating them. please stop. the systemic defects in the internet that make 
it insecure include the approach you are describing.

> There are scenarios where RRL just won't work as others have pointed
> out.

no. actually, what's been described are various bypasses that work around RRL, all of which 
are far more expensive (in retooling costs) to attackers than shifting to a completely different 
protocol (SSDP, ICMP, NTP, or TCP-SYN).

-- 
P Vixie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20151224/bd5fbc01/attachment.html>


More information about the dns-operations mailing list