[dns-operations] DNS activities in Japan

Mark Andrews marka at isc.org
Wed Jul 6 22:35:26 UTC 2016

In message <9bd51a85-2a43-242b-b2ee-2bd12d3db063 at isc.org>, Ray Bellis writes:
> On 06/07/2016 22:43, Jared Mauch wrote:
> > Yes, I think setting a zone size limit of 1G should be reasonable for
> example.
> For some values of available memory vs number of zones, etc, etc.
> A per-zone limitation on the amount of memory used can only provide a
> certain level of protection.  A determined attacker could just configure
> more zones and still make you fall over.
> Ray

And a more practical limit is number of records rather than size.
Those that run a secondary and dynamic update services tend to think
in terms of records rather than size.  Secondary and dynamic update
services is really the only service vulnerable to this sort of thing
and you can identify the offending client as you have a pre-existing
trust relationship.

And 1G is too small for some zones.

> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list