In message <alpine.lsu.2.00.1602052158390.7...@hermes-2.csi.cam.ac.uk>, Tony Fi
nch writes:
> Last weekend one of our authoritative name servers
> (authdns1.csx.cam.ac.uk) suffered a series of DoS attacks which made it
> rather unhappy. Over the last week I have developed a patch for BIND to
> implement draft-ietf-dnsop-refuse-any which should allow us to handle
> ANY flood attacks better. http://fanf.livejournal.com/140566.html
> 
> I still have a potential problem with RRSIG queries, which work a lot like
> ANY queries. Cloudflare's approach is to simply refuse them, which makes a
> lot of sense because RRSIG queries don't have the same interop concerns as
> ANY queries. However, in an attack like the ones we had last weekend where
> the queries arrived at our authoritative servers from lots of real
> recursive servers, a refusal will cause retries and make the attack worse.
> 
> Would it be reasonable as an alternative to follow the refuse-any approach
> and just return the RRSIG(s) for one RRset? If so, I think this suggestion
> should be included in the draft.
 
Yes, for both SIG and RRSIG.  They are not useful queries on their
own.  I am discounting the corner case of a non DNSSEC aware recursive
server in front of a validating client as that does not work reliably
with DNS loose coherency.

Mark

> Tony.
> -- 
> f.anthony.n.finch  <d...@dotat.at>  http://dotat.at/
> Thames, Dover: Southwest 5 to 7, occasionally gale 8 later, perhaps severe
> gale 9 later. Moderate, occasionally rough later. Occasional rain or drizzle.
> Moderate or good, occasionally poor.
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: ma...@isc.org

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to