Paul Hoffman <paul.hoff...@icann.org> writes: > On Apr 2, 2024, at 08:42, Wes Hardaker <wjh...@hardakers.net> wrote: > > > Do check/worry about DDoS reflections from UDP requests for DNSKEYs. > > Why? Of what value is worrying about this? From what you and John > says, it's pretty clear that you can't do anything effective to > remediate whatever it is they are doing. Recent DDoS stats indicate > that redirected DNS over UDP is no longer a significant source in > real-world attacks.
DNS over UDP is no longer a significant source of threat *because* operators have taken care to deploy technologies to limit amplifications. I could argue that your text above says it's time to turn off RRL because it's no longer needed, but I don't think that's actually what you're saying. I'd argue without continuing to watch what is happening in the real world we may not catch future issues with amplification attacks. RRL is actually somewhat defeatable in multiple ways and we've been lucky that this hasn't been realized well. TL;DR: I, personally, would never want to say "this is never going to be a problem again and no longer needs to be monitored." -- Wes Hardaker USC/ISI _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
