[ratelimits] error in amplification attack

[Andrew Sullivan]

On Tue, Nov 13, 2012 at 08:15:50PM -0500, Joe Abley wrote:
> > What is a DNSSEC referral?  I don't think such referrals are signed,
> > are they?
> 
> The DS RRSet is signed. If there's no DS RRSet, there's no secure referral.

Sorry, I'm being an idiot, but I meant the referral to the root that
you get from a server not authoritative for the domain.  It's just the
authority section, so no signature.  (In your example you of course
get DNSSEC data, because you asked the servers for a parent domain.)

But anyway, it appears people think that the rate limit is cheaper.
Since I haven't done the experiment, I don't really have much more to
say on the topic, although if someone else has done this experiment
it'd be interesting to hear about the overhead.  (In general, one of
the things I'm not totally clear on is what overhead the rate limit
patch imposes.  It'd be interesting to learn how people model that,
because I'm having a difficult time convincing myself that I have a
good cost model for answering different classes of query anyway.)

Best,

A

-- 
Andrew Sullivan
ajs at anvilwalrusden.com