--- Begin Message ---
On Tue, Apr 2, 2024 at 12:20 PM Paul Hoffman <paul.hoff...@icann.org> wrote:
> On Apr 2, 2024, at 08:42, Wes Hardaker <wjh...@hardakers.net> wrote:
>
> > Do check/worry about DDoS reflections from UDP requests for DNSKEYs.
>
> Why? Of what value is worrying about this? From what you and John says,
> it's pretty clear that you can't do anything effective to remediate
> whatever it is they are doing. Recent DDoS stats indicate that redirected
> DNS over UDP is no longer a significant source in real-world attacks. Short
> of being fodder for yet another "UDP considered harmful" discussion, why
> even note this?
>
Agree with this sentiment. There are over 1 M unique name server IPs. There
are probably many more resolver IPs seen by auths. The latter probably
includes researchers, random probes and so on.
Limiting UDP responses to < 1500 bytes and truncating otherwise should be
the response these days.
> --Paul Hoffman
>
>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations@lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
--- End Message ---
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
