[ratelimits] RRL vs other approaches
vjs at rhyolite.com
Wed Feb 20 01:26:25 UTC 2013
> From: Tony Finch <dot at dotat.at>
> There are a couple of problems with Ed's presentation:
> (1) Why not send a minimal truncated response rather than a refused
> response? It is he same size and avoids interop problems.
> (2) The only mail server that makes ANY queries is qmail, and it
> does so for address canonic
Shouldn't that be "as far as is known" instead of "only qmail"?
I'm probably being stupid. Why wouldn't it be a good for a recursive
server to request ANY when talking to an authoritative about a client's
request for MX, A, or AAAA in the expectation that the client is
likely to eventually ask for one of the other record types?
My questions about
(1) What is meant by the comment about RRL on page 3:
Effective, but an in-line activity and scales "only so much"
Is that a claim that RRL uses too many CPU cycles? If so, what
are the measurements behind the claim and in RRL implementation?
Or is it a comment about very disbursed reflection attacks in which
any single DNS server sees too few requests to notice anything evil.
(2) What are the "other mitigations for [DNSSEC records]" mentioned on
page 6? What can a gTLD server do other than RRL for the ~16X
amplification in the NXDOMAIN response for
dig +dnssec asdfqwerasdf.org @a0.org.afilias-nst.info
Vernon Schryver vjs at rhyolite.com
More information about the ratelimits