[dns-operations] [Ext] dns-operationsMysteries of DNSSEC

Puneet Sood puneets at google.com
Tue Apr 2 16:54:20 UTC 2024

On Tue, Apr 2, 2024 at 12:20 PM Paul Hoffman <paul.hoffman at icann.org> wrote:

> On Apr 2, 2024, at 08:42, Wes Hardaker <wjhns1 at hardakers.net> wrote:
> > Do check/worry about DDoS reflections from UDP requests for DNSKEYs.
> Why? Of what value is worrying about this? From what you and John says,
> it's pretty clear that you can't do anything effective to remediate
> whatever it is they are doing. Recent DDoS stats indicate that redirected
> DNS over UDP is no longer a significant source in real-world attacks. Short
> of being fodder for yet another "UDP considered harmful" discussion, why
> even note this?

Agree with this sentiment. There are over 1 M unique name server IPs. There
are probably many more resolver IPs seen by auths. The latter probably
includes researchers, random probes and so on.

Limiting UDP responses to < 1500 bytes and truncating otherwise should be
the response these days.

> --Paul Hoffman
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20240402/edecf103/attachment.html>

More information about the dns-operations mailing list