[dns-operations] looking for suggestion: ML for DNS anti-dos

Grant Taylor gtaylor at tnetconsulting.net
Thu Apr 2 21:17:51 UTC 2020

On 4/2/20 1:01 PM, John R Levine wrote:
> I would triply emphasize that.  Data from the root servers show that 
> the vast majority of queries they get are garbage: technically 
> ill-formed or for names that have never existed and likely never 
> will.
This is another reason that I really like a local copy of the root DNS zone.

That copy has historically been a secondary copy.  But I'm trying to 
learn more about BIND's newer "mirror" zone option, which I think DNSSEC 
validates the the transferred copy.

LocalRoot using TSIG keys seems related and is on my reading list.

I would like to get to a point where many DNS servers could safely have 
a local copy of the root DNS zone.

See the pertinent RFCs for what "safely" means in this case.

Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4013 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20200402/91adfff7/attachment-0001.bin>

More information about the dns-operations mailing list