Doug Barton <[email protected]> wrote: > I think this is a bad idea generally, and that RRL is a better solution to the > amplification vector issue.
RRL and minimal-any address different problems. My servers have been using RRL for many years and it works very nicely at dealing with spoofed UDP attacks directed at my auth servers. I implemented and deployed minimal-any to reduce TCP overload problems. If many legitimate recursive servers are being abused as amplifiers, using a name hosted by my authoritative servers, my auth servers can get overloaded with too much TCP traffic. With minimal-any, the recursive servers get answers over UDP, populate their caches, and go away happy. Cloudflare's reason for deploying minimal-any is also unrelated to RRL. On their servers it is very expensive to assemble an ANY response. It is much simpler and cheaper for them to satisfy queries with a synthetic response than waste effort on a traditional full-fat answer. Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ - I xn--zr8h punycode Hebrides, Bailey: Cyclonic becoming southwest, 5 or 6. Rough, occasionally very rough. Occasional rain. Good, occasionally poor. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
