Last weekend one of our authoritative name servers
(authdns1.csx.cam.ac.uk) suffered a series of DoS attacks which made it
rather unhappy. Over the last week I have developed a patch for BIND to
implement draft-ietf-dnsop-refuse-any which should allow us to handle
ANY flood attacks better. http://fanf.livejournal.com/140566.html

I still have a potential problem with RRSIG queries, which work a lot like
ANY queries. Cloudflare's approach is to simply refuse them, which makes a
lot of sense because RRSIG queries don't have the same interop concerns as
ANY queries. However, in an attack like the ones we had last weekend where
the queries arrived at our authoritative servers from lots of real
recursive servers, a refusal will cause retries and make the attack worse.

Would it be reasonable as an alternative to follow the refuse-any approach
and just return the RRSIG(s) for one RRset? If so, I think this suggestion
should be included in the draft.

Tony.
-- 
f.anthony.n.finch  <d...@dotat.at>  http://dotat.at/
Thames, Dover: Southwest 5 to 7, occasionally gale 8 later, perhaps severe
gale 9 later. Moderate, occasionally rough later. Occasional rain or drizzle.
Moderate or good, occasionally poor.

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to