In message <[email protected]>, Vernon Schryver writes: > > From: Tony Finch <[email protected]> > > > One of the points of minimal-any is that the answer is not truncated > > because you do not want clients to automatically retry over TCP. This is > > to handle situations where many third-party recursive servers are under > > attack using one of your names, so the recursive servers are hitting > > your authoritative servers hard. RRL does not work in this case, because > > the clients are legitimate recursive servers. You want to give them an > > answer asap, that they can cache without hitting TCP. > > On the contrary, as that case is described, RRL works fine, and > this minimal-any mechanism won't help the obvious attack situation > in that might be intended. > > Each legitimate recursive server will ask once per some TTL and > cache the rrsets that it gets. No single legitimate recursive > server will make a lot of ANY requests per unit time. > > An attack that might be intended involves many open recursive servers > (perhaps open only local infected eyeball stubs) being hit for only a > few requests each (or at least passing on only a few each request) for > your names but many all together. > > However, in that case how many legitimate recursive servers will > send ANY requests to authorities?
Any with a empty cache for name when the query comes in and a qtype 255 in the request. The hard part of a 255 request is just having cached negative responses for individual types doesn't result in useful response to the request. You still need to recurse with qtype 255 to get some data to return including NODATA for a ENT. Mark > Vernon Schryver [email protected] > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
