[dns-operations] EDNS vs DDOS scrubbing - was Re: Nice to see Amazon Route 53 remove the EDNS(1) filters for *.co.uk.

Edward Lewis edward.lewis at icann.org
Wed May 27 11:39:36 UTC 2015


I'm reacting because I see a case of someone observing symptoms,
presenting eye-catchy colorful pictures and then running hard into the
land of diagnosis.

On 5/27/15, 7:10, "Mark Andrews" <marka at isc.org> wrote:

>For others is is scrubbing / DoS services which are blocking EDNS(1)
>queries.

This sounds like there might be a need to analyze a trade-off.  Taking the
leap of faith that the dropping EDNS(1) figures is caused by DDoS
scrubbing services, the question is "why?"  Is EDNS(1) and DDoS scrubbing
incompatible?

I will offer that, from what I've seen, DDoS scrubbing seems to offer
value to the Internet.  I.e., I don't think that it's not simply going to
go away.  (I'm remaining neutral on the question of value-for-money, in
the sense that's not the topic here.)  I seriously doubt that DDoS
scrubbing services will go away because they interrupt EDNS(1) adoption.

Perhaps there isn't a conflict, it is just that the testing is throwing
packets into a hole and declaring failure.  Perhaps the lost EDNS(1)
traffic ought to be explained away as part of the flotsam that is DDoS
traffic.

I'm just skeptical that a technology or mechanism will see lowered
adoption over time - if it is a good idea. I understand falling adoption
during the phase out/retirement/etc.  You point out the new TLD operators
- but it's dropping across the board (except for the bottom 1000, which
might be related to those cellar-dwellers not being subject to DDoS load,
hence no scrubbing).

I would have expected to see a chart showing over increase in adoption
with perhaps a sector that is failing and needing attention.  I don't see
that in the chart.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4604 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150527/2f2043d4/attachment.bin>


More information about the dns-operations mailing list