[ratelimits] error in amplification attack

Joe Abley jabley at hopcount.ca
Tue Nov 13 20:25:04 UTC 2012

On 2012-11-13, at 14:58, Andrew Sullivan <ajs at anvilwalrusden.com> wrote:

> On Tue, Nov 13, 2012 at 12:53:43PM -0500, Edward Lewis wrote:
>> $ dig . axfr @xfr.lax.dns.icann.org | awk '$4=="NS" { print $1}' | sort -u
> Sure.  As long as the present heavyweight regime for the root zone
> remains in place, that'll work.

Actually, so long as the zone doesn't grow beyond the size of other zones for which AXFR is known to work acceptably well, that'll work.

With two updates per day and a relatively small community of people interested in the data I would say we're good up to around 5 million TLDs. As we approach 10 million, we might want to consider not doing that.

(You can also mirror the file from ftp.internic.net, which is arguably a more sensible way to get the data anyway. I just know that dig is present on every system I use, while others have a mixture of ftp/fetch/curl/wget that I usually guess wrong about.)

> Once the
> current experiment in root expansion succeeds (and it will), we'll be
> well down the road to a flat namespace, as the price for a root
> delegation is bound to come down.

I appreciate exaggeration for effect, but let's not be gratuitous :-)


More information about the ratelimits mailing list