[dns-operations] "Poorly configured DNSSEC servers at root of DDoS attacks"

Paul Vixie paul at redbarn.org
Wed Sep 7 11:44:54 UTC 2016

Tony Finch wrote:
> Paul Vixie<paul at redbarn.org>  wrote:
>> Tony Finch wrote:
>>> AIUI RRL would have reduced our UDP response rate, which would have
>>> caused retries and therefore a higher UDP query rate. ...
>> i think you should try it. it's design to not do what you're describing.
> I've been running it for years.

i meant try the specific attack you're worrying about. it should not 
behave the way you're worrying it will behave.

> I was describing what is covered in section 4.1 of
> http://ss.vix.su/~vixie/isc-tn-2012-1.txt

i do not expect the real clients to repeat their queries more than once 
per TTL. statistically that means you won't see many UDP-to-TCP upgrades 
as a result of the TC=1 responses you're sending out.

> If minimal-any is wrong, what should I have done instead?

nothing. treat ANY as strategically valuable attack-signature that is 
presently useful in traceback activities, and must be preserved for that 
purpose, unless you can move us to an end-game scenario where there is 
no obvious next move for the bad guys.

P Vixie

More information about the dns-operations mailing list