[dns-operations] Root-servers returning TC=1 after 5 NXDOMAINS

Tony Finch dot at dotat.at
Wed Feb 11 16:23:46 UTC 2015

Paul Hoffman <paul.hoffman at vpnc.org> wrote:
> It sounds like a bad configuration for RRL at f-root, given the replies
> below that they are unique queries (which would make sense from a
> caching resolver).

I don't think it is that bad. If you fail to ratelimit because all the
queries are different then attackers have a trivial bypass.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Southeast Bailey: Southerly veering northerly 6 to gale 8, then easterly 4 or
5, increasing 6 or 7 later. Very rough becoming rough. Rain. Moderate or poor.

More information about the dns-operations mailing list