On 10 Jan 2013, at 15:00, Paul Wouters <[email protected]> wrote: > On Thu, 10 Jan 2013, Jim Reid wrote: > >> IMO, responding to these spoofed queries is a Bad Idea. > > Not responding is worse. > > - valid recursors will just retry > > - valid recursors might conclude the auth server is slow/bad/unreachable and > avoid it for legitimate queries as well.
I agree: provided we're talking about responding to queries from valid recursors. However we're not. The context is spoofed queries. [See above.] Responding to these is bad because (a) it chews your bandwidth and CPU; (b) the replies don't go to the actual source that generated the queries; (c) the destination of those responses doesn't want or need that inbound traffic. This is why we agree RRL helps to reduce the damage from spoofed ANY flood attacks. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
