While not Paul or Stephane, I would like to point out that repeated, empirical evidence shows that simply dropping or ignoring queries has the operational effect of link saturation. A quicker, more reliable DDoS vector may not exist. I could not agree that dropping queries is sensible or prudent, if the goal is to have a workable DNS. As to delay as a mitigating strategy, well, that didm;t work so well either. The original RFC 1918 blocks had no public DNS service. We then made the mistake of standing them up. The intent was to delay the response, with an NXDOMAIN first and then a redirect into the private network. It was never flaky enough and developers built around that. This became apparent when we actually started responding authoritatively from these servers. I think it was less than an hour before Herb and Jon were in my office and we had a call with the President of the University. Neither delay, nor redirection will be effective. Either no answer or an authoritative answer give the community certainty.
I’ll step back and let the experts “solve” this. manning bmann...@karoshi.com PO Box 12317 Marina del Rey, CA 90295 310.322.8102 On 5July2015Sunday, at 5:30, Steve Crocker <st...@shinkuro.com> wrote: > Stephane and Paul, > > I’m ok with anything that provides effective negative feedback. Dropping > queries or redirecting them is ok with me. > > Thanks, > > Steve > > On Jul 5, 2015, at 5:11 AM, P Vixie <p...@redbarn.org> wrote: > >> Delay is expensive for responders since it requires state. Steve's goal of >> making some tld strings flaky so as to encourage developers to avoid DNS for >> those names could be met statelessly. For example delegate them to localhost. >> >> On July 5, 2015 12:51:08 PM GMT+01:00, Stephane Bortzmeyer >> <bortzme...@nic.fr> wrote: >> On Sat, Jul 04, 2015 at 09:16:17AM -0700, >> Steve Crocker <st...@shinkuro.com> wrote >> a message of 21 lines which said: >> >> except for the additional load it places on the root servers, >> >> RFC 7535 could be a solution. >> >> I propose augmenting the DNS to include entries in the root that >> serve the purpose of giving slow NXDOMAIN responses instead of quick >> responses for those strings that the IETF has identified as not >> TLDs. >> >> If it is a serious proposal, I object. Delaying answers require >> keeping state in the authoritative name server and opens a nice DoS >> boulevard. >> >> >> DNSOP mailing list >> DNSOP@ietf.org >> https://www.ietf.org/mailman/listinfo/dnsop >> >> -- >> Sent from my Android device with K-9 Mail. Please excuse my brevity. >> _______________________________________________ >> DNSOP mailing list >> DNSOP@ietf.org >> https://www.ietf.org/mailman/listinfo/dnsop > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
