[ratelimits] RRL vs other approaches
michael+lists at burnttofu.net
Tue Feb 19 16:56:15 UTC 2013
On 2/19/13 5:32 AM, Joe Abley wrote:
> I think blocking ANY doesn't do much to help the potential for reflection attacks (the next lowest hanging fruit is perhaps DNSKEY) and in general, non-implementation of bits of the standard on the premise that "nobody really needs these bits anyway, we think, maybe" has the potential to cause harm.
Agreed; we have already seen the bad guys go for RRSIG. DNSKEY probably
makes more sense, since it's a more "normal/legitimate" query that one
would expect clients to make, as opposed to simply asking for RRSIGs
without any other data.
More information about the ratelimits