[dns-operations] "Poorly configured DNSSEC servers at root of DDoS attacks"

Tony Finch dot at dotat.at
Tue Sep 6 14:44:14 UTC 2016

Paul Vixie <paul at redbarn.org> wrote:
> Tony Finch wrote:
> >
> > AIUI RRL would have reduced our UDP response rate, which would have
> > caused retries and therefore a higher UDP query rate. ...
> i think you should try it. it's design to not do what you're describing.

I've been running it for years.

I was describing what is covered in section 4.1 of

> > Even so, it is still useful to make my servers more robust against being
> > collateral damage in an attack aimed at someone else, and it is good to
> > make my servers less attractive for use in attacks on others.
> no, it's not. you're doing far more work blocking ANY than the attacker would
> have to do to switch to a different qtype. in the unending game play of
> cybercat and cybermouse, that means you lose the current round.

Sounds like a win to me! If an attacker uses my servers directly I have
RRL, and if they use my domains to bounce off a recursive server, their
amplification factor is much smaller, and I can refill the recursive
caches more cheaply.

If minimal-any is wrong, what should I have done instead?

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
Trafalgar: Northerly 5 or 6 at first in north, otherwise variable, becoming
northwesterly later, 3 or 4. Moderate, occasionally slight in southeast. Fog
patches. Moderate or good, occasionally very poor.

More information about the dns-operations mailing list