On Aug 4, 2015, at 4:20 AM, Mark Andrews <ma...@isc.org> wrote: > If you are under attack the current method drop or send back TC=1. TC=1 > means managing many more TCP session on both the server and client side. > With cookies it is drop or BADCOOKIE which keeps the traffic on UDP if there > isn't a good server cookie.
This is the current method BIND uses. BIND is not renowned for its ability to weather DDoS attacks. Your other assertions are false, and I already explained why. You cannot drop no-cookie queries without increasing the effectiveness of the DDoS attack.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
