Last weekend one of our authoritative name servers (authdns1.csx.cam.ac.uk) suffered a series of DoS attacks which made it rather unhappy. Over the last week I have developed a patch for BIND to implement draft-ietf-dnsop-refuse-any which should allow us to handle ANY flood attacks better. http://fanf.livejournal.com/140566.html
I still have a potential problem with RRSIG queries, which work a lot like ANY queries. Cloudflare's approach is to simply refuse them, which makes a lot of sense because RRSIG queries don't have the same interop concerns as ANY queries. However, in an attack like the ones we had last weekend where the queries arrived at our authoritative servers from lots of real recursive servers, a refusal will cause retries and make the attack worse. Would it be reasonable as an alternative to follow the refuse-any approach and just return the RRSIG(s) for one RRset? If so, I think this suggestion should be included in the draft. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Thames, Dover: Southwest 5 to 7, occasionally gale 8 later, perhaps severe gale 9 later. Moderate, occasionally rough later. Occasional rain or drizzle. Moderate or good, occasionally poor. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop