[ratelimits] RRL vs other approaches
Vernon Schryver
vjs at rhyolite.com
Wed Feb 20 01:26:25 UTC 2013
> From: Tony Finch <dot at dotat.at>
> There are a couple of problems with Ed's presentation:
>
> (1) Why not send a minimal truncated response rather than a refused
> response? It is he same size and avoids interop problems.
indeed.
> (2) The only mail server that makes ANY queries is qmail, and it
> does so for address canonic
Shouldn't that be "as far as is known" instead of "only qmail"?
I'm probably being stupid. Why wouldn't it be a good for a recursive
server to request ANY when talking to an authoritative about a client's
request for MX, A, or AAAA in the expectation that the client is
likely to eventually ask for one of the other record types?
My questions about
http://www.nanog.org/meetings/nanog57/presentations/Wednesday/wed.lightning1.lewis.dns.pdf
are
(1) What is meant by the comment about RRL on page 3:
Effective, but an in-line activity and scales "only so much"
Is that a claim that RRL uses too many CPU cycles? If so, what
are the measurements behind the claim and in RRL implementation?
Or is it a comment about very disbursed reflection attacks in which
any single DNS server sees too few requests to notice anything evil.
(2) What are the "other mitigations for [DNSSEC records]" mentioned on
page 6? What can a gTLD server do other than RRL for the ~16X
amplification in the NXDOMAIN response for
dig +dnssec asdfqwerasdf.org @a0.org.afilias-nst.info
Vernon Schryver vjs at rhyolite.com
More information about the ratelimits
mailing list