Re: [dns-operations] Enom's name server broken?

2013-01-16 Thread Fan Of Network 
On Tue, Jan 15, 2013 at 11:19 PM, Matthew Ghali mgh...@snark.net wrote:

 In an ideal world, you'd get exactly what you pay for. In reality you get
 less. Most people are definitely not paying for inter-provider coordination
 and a seamless service cutover. Heck, they're paying barely enough for
 service that answers *most* queries.


I'm willing to pay for seamless service cut over - no problem with that. My
provider (Enom) does even have a hosted DNS product, but they cannot
activate it when they domain is registered with them. Now, I'm considering
transferring my domains away from Enom as this might be the easiest
solution.

Some providers don't even offer the option to pay more and get better
service, which is a pity.

You can argue why Enom was chosen in the first place as a registrar and
provider for DNS. I honestly don't know - they were big enough I guess.
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] ID of IPv4 fragments and DNS and the future RFC

2013-01-16 Thread Tony Finch 
Stephane Bortzmeyer bortzme...@nic.fr wrote:
 Florian Weimer f...@deneb.enyo.de wrote:

  1000 responses per second doesn't seem that much, though.

 To the *same* destination? (The ID only has to be unique per each tuple
 {src, dst, protocol}.) It looks a lot.

It is not a lot for a recursive server with busy clients.

Tony.
-- 
f.anthony.n.finch  d...@dotat.at  http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] responding to spoofed ANY queries

2013-01-16 Thread Frank Bulk 
Perhaps the ratio could be a dynamic whitelist -- if it's 1.5 or less, then
allow the response to go out.

Frank

-Original Message-
From: dns-operations-boun...@lists.dns-oarc.net
[mailto:dns-operations-boun...@lists.dns-oarc.net] On Behalf Of Vernon
Schryver
Sent: Sunday, January 13, 2013 4:52 PM
To: dns-operations@lists.dns-oarc.net
Subject: Re: [dns-operations] responding to spoofed ANY queries

 From: Jim Reid j...@rfc1035.com

 I suppose a name server could keep a (small?) cache of recently
 marshalled answers and use that to either rate limit responses which
 are too large or identical to one that has recently been sent to the
 same IP address(es). [For some definition of large and recent.]

A problem with that thought is what I tried to state before, that there
is no definition of large that is small enough to permit an exemption
from rate limiting but not so small that it keeps mininimal DNS responses
rate limited.
For example, seems that random.rfc1035.com to your 93.186.33.42 is
good for a 2X amplified stream of NXDMOAINS.  2X is small but too high
for DoS victims to tolerate.  I trust you will eventually turn on
DNSSEC, which will probably boost your amplification of random requests
well above 5X.

  It
 could be good to have something which rate limits outgoing responses
 in addition to what's done with incoming queries.

Please recall that RRL stands for *response* rate limiting and neither
*query* rate limiting nor *client* rate limiting.  The differences are
significant.

Among those differences is one that wrecks the goal of turning off
RRL for those mythical small enough to not be amplified responses.
Because RRL is about rate limiting responses instead of clients,
there is few or no good reasons to turn it off for large or small
legitimate responses.  Legitimate responses are not frequently
repeated and so don't get dropped except in rare or dubious scenarios.


Vernon Schryverv...@rhyolite.com
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs


___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] responding to spoofed ANY queries

2013-01-16 Thread Vernon Schryver 
 From: Frank Bulk frnk...@iname.com

 Perhaps the ratio could be a dynamic whitelist -- if it's 1.5 or less, then
 allow the response to go out.

What would be gained by spending the code complexity and CPU cycles
such a mechanism would require?  What bad things would be avoided
or good things achieved?

(Please do not mention false positives, because that notion of false
positive is irrelevant and does not happen with RRL.)


Vernon Schryverv...@rhyolite.com
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs