One more comment: This patch only impacts recursive servers, not authorities.
They won't set TC=1 for an ANY query. - Jared On May 15, 2013, at 6:03 PM, Jared Mauch <[email protected]> wrote: > > On May 15, 2013, at 5:58 PM, John Kristoff <[email protected]> wrote: > >> On Wed, 15 May 2013 17:52:11 -0400 >> Jared Mauch <[email protected]> wrote: >> >>> If others want, I can look at putting in a config directive. It >>> would be possible to add other RRtypes easily enough that should get >>> TCP only that are not commonly used. >> >> I can speak for others, but I would prefer to use the RRL code already >> pretty well tested and being implemented in various name server >> implementations already. I would recommend others do so as well. >> >> <http://www.redbarn.org/dns/ratelimits> >> >> Why would someone choose to use your patch over RRL? > > Because of the FP ratio presented at the DNS-OARC meeting this > past week. It's suitable on a recursive resolver, where RRL is most effective > on an authority. > > See > > https://indico.dns-oarc.net/indico/getFile.py/access?contribId=4&resId=0&materialId=slides&confId=0 > > Page #12 > > This effectively does slip=1 and does away with any amplification and just > makes it > a pure reflection attack. Still not ideal, but doesn't amplify. > > - jared _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
