[dns-operations] "Poorly configured DNSSEC servers at root of DDoS attacks"

Tony Finch dot at dotat.at
Wed Sep 7 15:54:58 UTC 2016

Jared Mauch <jared at puck.nether.net> wrote:

> I’d be interested in seeing software provide a more granular option than
> any-to-tcp so we can do it based on response size, eg: (if over 128
> bytes, send TC=1).

BIND 9.11 can do that, though it applies to every qtype:

    Sets the maximum size of UDP responses that will be sent to queries
    without a valid server COOKIE. A value below 128 will be silently
    raised to 128. The default value is 4096, but the max-udp-size option
    may further limit the response size.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
Fitzroy: Westerly or southwesterly 5 to 7, occasionally gale 8 at first in
northwest. Very rough or high at first in northwest, otherwise moderate or
rough. Showers. Good.

More information about the dns-operations mailing list