On 06/14/2013 05:13 PM, Vernon Schryver wrote:
From: Doug Barton <do...@dougbarton.us>is that (like RRL) your proposal relies on people updating their software.RRL needs only authority and open recursive servers to be updated. The vast majority of DNS installations are closed recursive and stubb servers that do not need RRL. (A case could be made for RRL on a minority of private recursive servers.)
You're right of course, but unfortunately at least where open resolvers are concerned the same people who operate open resolvers are also those least likely to know what RRL is, or why it's needed; and are also least likely to actually upgrade old software. So a statistically significant percentage of the "long tail" problem is going to apply to those who would provide the most benefit from making the change.
I could therefore make a pretty strong case that RRL should be on by default, but I realize that's incredibly unlikely to fly. :)
Other ideas that I like such as DNS cookies would need more widespread changes, which makes enthusiasm for them taxing.
Yeah, that's unfortunate since if it's a good idea it's worth implementing no matter how long it takes to be beneficial. The time will pass either way.
RRL is actually useful for DDOS attacks against the authoritative server itself. There are likely other reasons, but those are the most obvious (to me anyway).That's in the RRL sales story that I've been flogging since before the first version of the RRL patch, but so far it has been only incidentally true. Some DNS server operators have reported drastic reductions in network and CPU load during attacks thanks to RRL, but they were not the intended victims of the attacks.
Personally I've never understood why RRL wasn't already baked in. The only way a legitimate client could send the same query over and over in a short period of time (intentionally being vague on both terms) is that it is broken. We did the smart thing to solve that problem on the iterative side 10 years ago, I don't know why it's taken so long to solve the auth side. :)
Doug _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
