> Paul Hoffman <mailto:[email protected]> > Wednesday, February 11, 2015 7:50 AM > > "Better" for whom? If some of the root server operators run RRL, all > they are doing is causing the DDoS purveyors to switch to the other > root server operators. If that happens, and then all of the root > server operators feel that they have to run RRL, the attackers simply > add ten lines of code to spread the load across all the root server > operators at just below the threshold.
there are many bypasses better than that one. > > This feels like another poorly-thought-out experiment on the live > operating DNS with, as usual, insufficient data about the experiment > being collected. If I'm wrong, and your number of "25/sec" is based on > analysis and data, it would be great for you to share it here. 25/sec will not be enough for large rdns plants. that's why the default policy for slip and drop is so important. f-root's team must have overridden those, probably because various people have spread some FUD about drops. this work came out of ddos work not dns work. after the tenth anniversary of SAC004 came and went, with more rather than fewer edges lacking SAV. 25/sec of signed nxdomain is enough to overload any DSL circuit. i'd be happy to work with you to find an upper limit. this is a zero sum game; we're deciding who feels the pain from the unprotected edge. -- Paul Vixie
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
