In message <[email protected]>, Frederico A C Neves writes: > On Fri, Oct 24, 2014 at 08:18:54AM -0400, Phillip Hallam-Baker wrote: > > On Fri, Oct 24, 2014 at 1:57 AM, Watson Ladd <[email protected]> wrote: > ... > > > > The DoS and amplification attacks are the reasons why I believe that > > whatever mechanism we choose needs to authenticate requests and only > > respond if the request is 'sufficiently' authentic. > > We do have a "sufficiently" solution for this proposed now for more > than 8 years and counting. > > http://tools.ietf.org/html/draft-eastlake-dnsext-cookies-00
And Donald and I are trying to finalise that so we can ship code in BIND 9.11. BIND 9.10 already has experimental code (SIT) which is similar. The current difference is SIT doesn't have a error code and cookies does. When SIT was shipped the server cookies was completely different. The open question is the error code really useful. SIT is enabled in the Windows builds and can be enabled at compile time with --enable-sit. Mark > _______________________________________________ > dns-privacy mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dns-privacy -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
