[ratelimits] RRL vs other approaches
jabley at hopcount.ca
Tue Feb 19 13:32:53 UTC 2013
On 2013-02-19, at 09:17, Geert Jan de Groot <GeertJan.deGroot at xs4all.nl> wrote:
> At the last NANOG meeting, Ed Lewis spoke about another approach
> to reduce the impact of ANY UDP responses.
> His presentation can be found here:
> I understand that there was some discussion after the talk, but
> I didn't attend and the videos are not available yet.
> In the interest of evaluating multiple approaches as required for the
> standardisation process, and explicitely not wanting to troll the list
> (really!), I would be interested to learn what the list thinks about this?
I think blocking ANY doesn't do much to help the potential for reflection attacks (the next lowest hanging fruit is perhaps DNSKEY) and in general, non-implementation of bits of the standard on the premise that "nobody really needs these bits anyway, we think, maybe" has the potential to cause harm.
We run services which are interesting in the sense that the clients we need to serve are the non-enumerated set of resolvers globally, which in turn have clients in the form of "all Internet users globally" which are also non-enumerated, at least to us. We can't poll our users (and their users) to ask whether blocking ANY will hurt anybody in any meaningful way. This means we need to be very conservative in changing the way our service is implemented, as viewed from our clients.
I don't consider "refuse ANY over UDP" to be a conservative approach.
More information about the ratelimits