At Mon, 9 May 2016 18:45:49 -0400, Shumon Huque <[email protected]> wrote:
> > - Section 3 > > > > "NXDOMAIN cut" may also help mitigate certain types of random QNAME > > attacks [joost-dnsterror] [balakrichenan-dafa888], where there is a > > fixed suffix which does not exist. > > > > This is true, but I suspect it would be pretty easy for this type of > > attacker to circumvent the effect if and when the nxdomain-cut > > behavior is more widely deployed. An attacker for the '.wf' zone > > would simply send random junk query <random>.wf instead of > > <random>.dafa888.wf. So I think the mitigation effect in this sense > > is quite limited. > > Yes, that's why we were careful to say that "certain types" of attacks > "may" be mitigated. Implicit in that sentence was the recognition that > other patterns of random subdomain attacks would not be stopped and > that attackers could adapt. Do you have a specific suggestion regarding > the text? Did you want the limitation stated more explicitly? Or do you > think this topic isn't worth mentioning? Or ... I don't have a particular/strong suggestion. I just provided some observation I happened to have from my latest read of the document. If we all think this particular point is not that important, I might consider removing it if only to make it shorter (and therefore more friendly for readers). But if you think it still has some value, I have no problem with keeping it in its current form. -- JINMEI, Tatuya _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
