On Fri, Apr 04, 2008 at 03:51:16PM -0700, John L. Crain wrote: > I don't think the disease is life threatening. I keep hearing about the > "Problem" of bogus queries to the root. It is certainly messy and ugly but > from my perspective as an operator it is more of irritant than anything else. > The capacity building for root operators, at least in our case, is not built > around those bogus queries, it's build around other problems such as the > number of hosts with weak security that are available for use in DDOS attacks.
thanks, John, for bringing this up. The topic is re-occuring and for judging the cure vs. the disease we would need to know not only how widespread the disease is (in percent of the queries), but whether the patient actually suffers. Also, it would be interesting to not only watch the "bogus" queries but also at the ratio of "bogus" vs. "legitimate" queries per source IP address, also taking into account other query parameters. This would help getting an idea whether measures implemented in the average recursive full resolver would actually lead to a significant change. For the "AS112 for TLDs" I sense there is consensus to go to WGLC with maintaining the drafts' current focus. > For now I still believe the best answer is to keep answering with NXDOMAIN > and hoping that one day, this is where I am delusional, that those do the > querying will fix their end of the problem... Since "information leakage" has been mentioned already and additional delay is another concern on the client side, it might be worth addressing the "disease" from this end. However, we have no indication that anybody actually suffers here. So, unless we'd like to live with the topic popping up over again, we could try a "trade offs document" for a start. Not sure this will end up as something to be reasonably published as an RFC, but it might at least serve as a pointer target next time the idea comes up. -Peter _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
