[ratelimits] error in amplification attack

Andrew Sullivan ajs at crankycanuck.ca
Wed Nov 14 00:58:21 UTC 2012

On Tue, Nov 13, 2012 at 10:49:27PM +0000, Vernon Schryver wrote:
> How is maintaining a list of TLDs related to rate limiting (or not)
> REFUSED responses from a DNS server that is authoritiative for neither
> "." nor any TLD?

It's not.  If you don't want to return REFUSED, however, you have a
problem.  (I'm assuming the OP didn't want to set this feature.)

> Is an empty response what is commonly called a NODATA response, an
> NXDOMAIN error response, or something else? 

Surely not RCODE=3, no.  Some servers I have seen return a response
with NOERROR but empty Authority sections (and everything else, of
course, since they're not authoritative).  I'm not actually sure this
is protocol-ok, but I'm not exactly sure it isn't, either.  It's not
what's usually called a NODATA response, however.

Some, of course, return a referral (Verisign does this today,
AFAICT).  In the happy old days where every clown with an Internet
connection wasn't trying to blow up the moon, I'm told it was good
manners to return such a referral.  We might want to ask whether that
day has passed, but this isn't dnsop at ietf and if it were I don't
imagine we could reach agreement.

> Why should a DNS server that is authoritiative for neither "." nor
> any TLD and not an intentionally open public server like those of
> OpenDNS or Google send anything but a REFUSED error response to
> strange DNS clients?

It used to be normal to return a referral in this case.  I guess it's
long since past the era when that was "normal", but it's still not

> Which overhead is meant, maintaining a list of valid TLDs or rate
> limiting response to requests TLDs?  

Surely both.  Neither is free.  REFUSED (and so on) all sounds to me
cheaper than spinning up rate limiting infrastructure for a condition
that could change in future when the relevant TLD gets delegated.

> A DNSSEC referral from the gTLD roots gives about amplification of
> about 14X.

What is a DNSSEC referral?  I don't think such referrals are signed,
are they?


Andrew Sullivan
ajs at crankycanuck.ca

More information about the ratelimits mailing list