[ratelimits] RRL vs other approaches

Michael Sinatra michael+lists at burnttofu.net
Tue Feb 19 16:56:15 UTC 2013

On 2/19/13 5:32 AM, Joe Abley wrote:

> I think blocking ANY doesn't do much to help the potential for reflection attacks (the next lowest hanging fruit is perhaps DNSKEY) and in general, non-implementation of bits of the standard on the premise that "nobody really needs these bits anyway, we think, maybe" has the potential to cause harm.

Agreed; we have already seen the bad guys go for RRSIG.  DNSKEY probably
makes more sense, since it's a more "normal/legitimate" query that one
would expect clients to make, as opposed to simply asking for RRSIGs
without any other data.


More information about the ratelimits mailing list