[ratelimits] error in amplification attack
Joe Abley
jabley at hopcount.ca
Wed Nov 14 01:15:50 UTC 2012
On 2012-11-13, at 19:58, Andrew Sullivan <ajs at crankycanuck.ca> wrote:
> On Tue, Nov 13, 2012 at 10:49:27PM +0000, Vernon Schryver wrote:
>
>> A DNSSEC referral from the gTLD roots gives about amplification of
>> about 14X.
>
> What is a DNSSEC referral? I don't think such referrals are signed,
> are they?
The DS RRSet is signed. If there's no DS RRSet, there's no secure referral.
; <<>> DiG 9.8.3-P1 <<>> @a.gtld-servers.net verisigninc.com soa +dnssec +norec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47317
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 10, ADDITIONAL: 10
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;verisigninc.com. IN SOA
;; AUTHORITY SECTION:
verisigninc.com. 172800 IN NS l4.nstld.com.
verisigninc.com. 172800 IN NS a4.nstld.com.
verisigninc.com. 172800 IN NS f4.nstld.com.
verisigninc.com. 172800 IN NS g4.nstld.com.
verisigninc.com. 172800 IN NS k4.nstld.com.
verisigninc.com. 172800 IN NS j4.nstld.com.
verisigninc.com. 172800 IN NS h4.nstld.com.
verisigninc.com. 172800 IN NS a1.verisigndns.com.
verisigninc.com. 86400 IN DS 64326 8 2 02E7FEF4C3BBB0A0FA52F0F8E5774C44B243739D1AB7B3B426A417C3 88F45ACF
verisigninc.com. 86400 IN RRSIG DS 8 2 86400 20121120051944 20121113040944 34367 com. q0vl+C8ia6cCo1Mm6eAWD19FRyyH9WtbcXyTKuwTCyRCCa/WtRa9PZD5 9+qT98DdiDEapUKvzJ2fvSQyl08wVPFT9KKP8xSGPEmclD81MC9a1qWi unQUGuARBVttnbW8+K+ijpNdOLSKdoY6U+Cwfr+soyUbQERQj4WK7pAH qTs=
;; ADDITIONAL SECTION:
l4.nstld.com. 172800 IN A 192.41.162.33
a4.nstld.com. 172800 IN A 69.36.158.33
f4.nstld.com. 172800 IN A 192.35.51.33
g4.nstld.com. 172800 IN A 192.42.93.33
k4.nstld.com. 172800 IN A 192.52.178.33
j4.nstld.com. 172800 IN A 192.48.79.33
h4.nstld.com. 172800 IN A 192.54.112.33
a1.verisigndns.com. 172800 IN AAAA 2001:500:7967::2:33
a1.verisigndns.com. 172800 IN A 209.112.113.33
;; Query time: 42 msec
;; SERVER: 2001:503:a83e::2:30#53(2001:503:a83e::2:30)
;; WHEN: Tue Nov 13 20:14:07 2012
;; MSG SIZE rcvd: 565
20:14:07.954534 IP6 2001:4900:1042:100:ec75:a84f:cdab:5e06.57651 > 2001:503:a83e::2:30.53: 47317 [1au] SOA? verisigninc.com. (44)
20:14:07.994629 IP6 2001:503:a83e::2:30.53 > 2001:4900:1042:100:ec75:a84f:cdab:5e06.57651: 47317- 0/10/10 (565)
565/14 = 13 or so.
Joe
More information about the ratelimits
mailing list