[dns-operations] EDNS vs DDOS scrubbing - was Re: Nice to see Amazon Route 53 remove the EDNS(1) filters for *.co.uk.
Edward Lewis
edward.lewis at icann.org
Wed May 27 11:39:36 UTC 2015
I'm reacting because I see a case of someone observing symptoms,
presenting eye-catchy colorful pictures and then running hard into the
land of diagnosis.
On 5/27/15, 7:10, "Mark Andrews" <marka at isc.org> wrote:
>For others is is scrubbing / DoS services which are blocking EDNS(1)
>queries.
This sounds like there might be a need to analyze a trade-off. Taking the
leap of faith that the dropping EDNS(1) figures is caused by DDoS
scrubbing services, the question is "why?" Is EDNS(1) and DDoS scrubbing
incompatible?
I will offer that, from what I've seen, DDoS scrubbing seems to offer
value to the Internet. I.e., I don't think that it's not simply going to
go away. (I'm remaining neutral on the question of value-for-money, in
the sense that's not the topic here.) I seriously doubt that DDoS
scrubbing services will go away because they interrupt EDNS(1) adoption.
Perhaps there isn't a conflict, it is just that the testing is throwing
packets into a hole and declaring failure. Perhaps the lost EDNS(1)
traffic ought to be explained away as part of the flotsam that is DDoS
traffic.
I'm just skeptical that a technology or mechanism will see lowered
adoption over time - if it is a good idea. I understand falling adoption
during the phase out/retirement/etc. You point out the new TLD operators
- but it's dropping across the board (except for the bottom 1000, which
might be related to those cellar-dwellers not being subject to DDoS load,
hence no scrubbing).
I would have expected to see a chart showing over increase in adoption
with perhaps a sector that is failing and needing attention. I don't see
that in the chart.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4604 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150527/2f2043d4/attachment.bin>
More information about the dns-operations
mailing list