[dns-operations] Root-servers returning TC=1 after 5 NXDOMAINS

Paul Vixie paul at redbarn.org
Wed Feb 11 21:30:25 UTC 2015



> Paul Hoffman <mailto:paul.hoffman at vpnc.org>
> Wednesday, February 11, 2015 7:50 AM
>
> "Better" for whom? If some of the root server operators run RRL, all
> they are doing is causing the DDoS purveyors to switch to the other
> root server operators. If that happens, and then all of the root
> server operators feel that they have to run RRL, the attackers simply
> add ten lines of code to spread the load across all the root server
> operators at just below the threshold.

there are many bypasses better than that one.
>
> This feels like another poorly-thought-out experiment on the live
> operating DNS with, as usual, insufficient data about the experiment
> being collected. If I'm wrong, and your number of "25/sec" is based on
> analysis and data, it would be great for you to share it here.

25/sec will not be enough for large rdns plants. that's why the default
policy for slip and drop is so important. f-root's team must have
overridden those, probably because various people have spread some FUD
about drops.

this work came out of ddos work not dns work. after the tenth
anniversary of SAC004 came and went, with more rather than fewer edges
lacking SAV. 25/sec of signed nxdomain is enough to overload any DSL
circuit. i'd be happy to work with you to find an upper limit. this is a
zero sum game; we're deciding who feels the pain from the unprotected edge.



-- 
Paul Vixie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150211/7e0ff1b5/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: compose-unknown-contact.jpg
Type: image/jpeg
Size: 770 bytes
Desc: not available
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150211/7e0ff1b5/attachment.jpg>


More information about the dns-operations mailing list