On 2013-09-07, at 4:11 PM, Paul Wouters <[email protected]> wrote: >>> this sounds vaguely similar to unbound's "harden-referral-path" option, >>> though it applies to all lookups. >> >> I researched this, and found that it was first described here: >> >> http://tools.ietf.org/html/draft-wijngaards-dnsext-resolver-side-mitigation-01#section-3.3 >> >> The option is currently marked "experimental" due to not being RFC standard, >> and performance concerns. If the option were applied only to large >> responses (specifically to mitigate this type of attack), that would reduce >> the performance impact. > > This option has been enabled for years in the RHEL/EPEL and Fedora > standard configurations of unbound.
That would be very interesting if Unbound were the default DNS server in these dists, but I assume it is BIND? -Aaron _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
