In message <alpine.lsu.2.00.1602052158390.7...@hermes-2.csi.cam.ac.uk>, Tony Fi nch writes: > Last weekend one of our authoritative name servers > (authdns1.csx.cam.ac.uk) suffered a series of DoS attacks which made it > rather unhappy. Over the last week I have developed a patch for BIND to > implement draft-ietf-dnsop-refuse-any which should allow us to handle > ANY flood attacks better. http://fanf.livejournal.com/140566.html > > I still have a potential problem with RRSIG queries, which work a lot like > ANY queries. Cloudflare's approach is to simply refuse them, which makes a > lot of sense because RRSIG queries don't have the same interop concerns as > ANY queries. However, in an attack like the ones we had last weekend where > the queries arrived at our authoritative servers from lots of real > recursive servers, a refusal will cause retries and make the attack worse. > > Would it be reasonable as an alternative to follow the refuse-any approach > and just return the RRSIG(s) for one RRset? If so, I think this suggestion > should be included in the draft. Yes, for both SIG and RRSIG. They are not useful queries on their own. I am discounting the corner case of a non DNSSEC aware recursive server in front of a validating client as that does not work reliably with DNS loose coherency.
Mark > Tony. > -- > f.anthony.n.finch <d...@dotat.at> http://dotat.at/ > Thames, Dover: Southwest 5 to 7, occasionally gale 8 later, perhaps severe > gale 9 later. Moderate, occasionally rough later. Occasional rain or drizzle. > Moderate or good, occasionally poor. > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop