On May 15, 2013, at 6:52 PM, Vernon Schryver <v...@rhyolite.com> wrote:
>> This effectively does slip=1 and does away with any amplification and just >> makes it >> a pure reflection attack. Still not ideal, but doesn't amplify. > > On the contrary, as I just now wrote in the ratelimits mailing list > http://lists.redbarn.org/mailman/listinfo/ratelimits > your patch does not affect amplification by authorities. > For example, if applied to an authority for isc.org, > `dig +dnssec isc.org any @ams.sns-pb.isc.org' > would still reflect almost 4 KBytes for each 60 byte ANY request. The folks that are most concerned with RRL are those expecting queries from stub resolvers, I think this would mitigate this risk. - Jared _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
