[dns-operations] Always replying to UDP requests with TC=1, good practice or not

Paul Vixie paul at redbarn.org
Sun Oct 18 19:46:59 UTC 2015


On Sunday, October 18, 2015 14:22:31 Mark Jeftovic wrote:
> 
> Yes this is a common DDoS mitigation technique and it works pretty
> well for some situations. I'm not surprised to hear somebody patented
> this, I could almost hazard a guess who (but I won't)
> 
> I would not do it all the time however, because we've seen cases where
> some devices / resolvers fail badly on the TCP retry (like they don't
> do it, won't do it), such as some mobile devices on some wireless
> networks.
> 
> It's ok to do this in a hair-on-fire situation IMHO (but I'm of the
> opinion it's ok to do almost anything in a hair-on-fire situation,
> such as dropping ANY's on the floor, whatever it takes)

i am -1 to all forms of modal defense. for that reason, see DNS RRL.

-- 
Paul
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20151018/31291c53/attachment.sig>


More information about the dns-operations mailing list