On Sat, Nov 1, 2014 at 1:21 PM, Paul Vixie <p...@redbarn.org> wrote: > > what we've learned from random-subdomain flood attacks is that the > nxdomain limit (in BIND9 that's nxdomains-per-second) and the slip ratio > both have to be higher than we thought. at the moment i'm going to say > nxdomains-per-second of at least 20, and a slip ratio of 5. > > This sort of control is of course what distinguishes a prototype implementation of a service from deployment grade.
One of the concerns I have about approaches to DPRIVE is that they tend to start from the DNS specification and add security to that model rather than look at real world implementations. It is really easy to assume away the hard problems. I want to get authentication into the client-resolver loop so that we have a cryptographic enforcement mechanism for abuse control rather than relying on heuristics.
_______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
