[dns-operations] DNS activities in Japan
Mark Andrews
marka at isc.org
Wed Jul 6 22:35:26 UTC 2016
In message <9bd51a85-2a43-242b-b2ee-2bd12d3db063 at isc.org>, Ray Bellis writes:
> On 06/07/2016 22:43, Jared Mauch wrote:
>
> > Yes, I think setting a zone size limit of 1G should be reasonable for
> example.
>
> For some values of available memory vs number of zones, etc, etc.
>
> A per-zone limitation on the amount of memory used can only provide a
> certain level of protection. A determined attacker could just configure
> more zones and still make you fall over.
>
> Ray
>
And a more practical limit is number of records rather than size.
Those that run a secondary and dynamic update services tend to think
in terms of records rather than size. Secondary and dynamic update
services is really the only service vulnerable to this sort of thing
and you can identify the offending client as you have a pre-existing
trust relationship.
And 1G is too small for some zones.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list