[ratelimits] RRL vs other approaches

Olaf Kolkman olaf at NLnetLabs.nl
Sat Feb 23 07:34:45 UTC 2013

On Feb 20, 2013, at 10:21 PM, Vernon Schryver <vjs at rhyolite.com> wrote:

> Today I realize I am being stupid.  Trying to recursively resolve
> requests for A RRs with ANY requests does not get the NSEC records
> required when there are no A records.  I now wonder if DNSSEC is a 
> reason to deprecate ANY.  (deprecating ANY to mitigate reflection
> attacks is wishful thinking)

This confuses me.

If there is any NSEC record that matches the ownername of your query then the type bitmap provides proof of the existent and non-existent records. i.e. you only need one appropriate NSEC for the QTYPE proofs.


Olaf M. Kolkman

olaf at NLnetLabs.nl

Science Park 400, 1098 XH Amsterdam, The Netherlands

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.redbarn.org/pipermail/ratelimits/attachments/20130223/6305c20a/attachment.htm>

More information about the ratelimits mailing list