Damian Menscher wrote: > ... > My recommendation (which Vixie and Vernon disagree with) is to use RRL > with slip=1 -- return TC=1 responses to all queries over the limit.
my disagreement is explained in detail here: http://www.circleid.com/posts/20130913_on_the_time_value_of_security_features_in_dns/ > This ensures your legitimate users can get through with a TCP request, > rather than having to attempt multiple retries before learning to > retry over TCP. Does slip=1 address your concerns? > > Of course TCP isn't perfect -- it has higher latency and > per-connection costs -- but at least it ensures your legitimate users > can't be affected by the RRL. it does not. see [ibid]. vixie _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
