[dns-operations] looking for suggestion: ML for DNS anti-dos
Grant Taylor
gtaylor at tnetconsulting.net
Thu Apr 2 21:17:51 UTC 2020
On 4/2/20 1:01 PM, John R Levine wrote:
> I would triply emphasize that. Data from the root servers show that
> the vast majority of queries they get are garbage: technically
> ill-formed or for names that have never existed and likely never
> will.
This is another reason that I really like a local copy of the root DNS zone.
That copy has historically been a secondary copy. But I'm trying to
learn more about BIND's newer "mirror" zone option, which I think DNSSEC
validates the the transferred copy.
LocalRoot using TSIG keys seems related and is on my reading list.
I would like to get to a point where many DNS servers could safely have
a local copy of the root DNS zone.
See the pertinent RFCs for what "safely" means in this case.
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4013 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20200402/91adfff7/attachment.bin>
More information about the dns-operations
mailing list