[DNSOP] Re: Fw: New Version Notification for draft-avoid-large-wildcard-records-00.txt

Thu, 08 Jan 2026 09:00:18 -0800 

Hi,

This is an interesting attack vector, especially because of the concentration 
of bandwidth usage between the resolver and the authoritative. The proposed 
solutions are also pretty reasonable.

I think this document is a good idea. We'll likely implement some of the 
proposed measures at deSEC.

Best,
Peter


On 1/6/26 08:35, 左鹏 wrote:

Hi ALL,

We have submitted a new Internet-Draft:

https://datatracker.ietf.org/doc/draft-avoid-large-wildcard-records/

The draft discusses DNS amplification risks caused by oversized records with 
wildcard owner names, especially in large-scale authoritative DNS hosting 
environments, and provides operational guidance for mitigation.

Comments and feedback are welcome.

thanks.


-----原始邮件-----
发件人: [email protected]
发送时间:2026-01-06 15:21:06 (星期二)
收件人: "Joe Abley" <[email protected]>, "Peng Zuo" <[email protected]>, "Zhiwei Yan" 
<[email protected]>
主题: New Version Notification for draft-avoid-large-wildcard-records-00.txt

A new version of Internet-Draft draft-avoid-large-wildcard-records-00.txt has
been successfully submitted by Peng Zuo and posted to the
IETF repository.

Name:     draft-avoid-large-wildcard-records
Revision: 00
Title:    Avoid Large Records with a Wildcard Owner Name
Date:     2026-01-05
Group:    Individual Submission
Pages:    7
URL:      
https://www.ietf.org/archive/id/draft-avoid-large-wildcard-records-00.txt
Status:   https://datatracker.ietf.org/doc/draft-avoid-large-wildcard-records/
HTMLized: 
https://datatracker.ietf.org/doc/html/draft-avoid-large-wildcard-records


Abstract:

    As DNS hosting becomes increasingly centralized, with multiple zones
    hosted on shared authoritative name servers, the risk of DNS
    amplification attacks has grown.  By crafting large DNS records with
    wildcard owner names, attackers can exploit these shared servers to
    launch high-volume DDoS amplification attacks.

    This document provides operational guidance for DNS hosting providers
    to mitigate DDoS risks arising from amplification of responses
    derived from wildcard owner names.



The IETF Secretariat



_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]


--
Like our community service? 💛
Please consider donating at

https://desec.io/

deSEC e.V.
Möckernstraße 74
10965 Berlin
Germany

Vorstandsvorsitz: Nils Wisiol
Registergericht: AG Berlin (Charlottenburg) VR 37525

_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to