On May 15, 2013, at 5:58 PM, John Kristoff <[email protected]> wrote: > On Wed, 15 May 2013 17:52:11 -0400 > Jared Mauch <[email protected]> wrote: > >> If others want, I can look at putting in a config directive. It >> would be possible to add other RRtypes easily enough that should get >> TCP only that are not commonly used. > > I can speak for others, but I would prefer to use the RRL code already > pretty well tested and being implemented in various name server > implementations already. I would recommend others do so as well. > > <http://www.redbarn.org/dns/ratelimits> > > Why would someone choose to use your patch over RRL?
Because of the FP ratio presented at the DNS-OARC meeting this past week. It's suitable on a recursive resolver, where RRL is most effective on an authority. See https://indico.dns-oarc.net/indico/getFile.py/access?contribId=4&resId=0&materialId=slides&confId=0 Page #12 This effectively does slip=1 and does away with any amplification and just makes it a pure reflection attack. Still not ideal, but doesn't amplify. - jared _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
