note: replying only to dnsop@. no thread is ever appropriate for dnsop@ plus some other mailing list. please stop cc'ing dns-operations@ on your replies; this is not an operational thread, and the people in the dns community who care about protocol development, are probably on both lists.
> Mark Andrews <mailto:ma...@isc.org> > Tuesday, March 17, 2015 10:10 AM > > Lets get DNS cookies finalised so that TC=1 isn't needed for repeat > legitimate clients. ... > > TC=1 for amplification suppression should be triggered by response > size and whether you are a known repeat client or not rather than > {meta} query type. to be clear, response rate limiting will still be necessary even with dns cookies in place. without dns cookies, the requests don't have to have correct source-ip addresses, and thus, a dns server can be made to attack the apparent source of those queries. rrl helps with this. with dns cookies, the requests have to have correct source-ip addresses, and thus, a dns server can be made to attack its own upstream infrastructure. rrl helps with this, also. there should of course be more strict rate limits in place for the former, than for the latter. -- Paul Vixie
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
