Good morning, Ralf.
At 2016-07-20 13:07:01, "Ralf Weber" <d...@fl1ger.de> wrote:
>Moin!
>
>On 20 Jul 2016, at 5:03, 延志伟 wrote:
>
>> About the DDoS risk, it should not be worried so much because this
>> scheme is controlled/triggered by the recursive server (with a flag as
>> NN bit).
>> In other words, the recursive server can get the piggybacked multiple
>> responses only when it wants and of cource it can disable this model
>> anytime.
>That's not who DDos work. If attacker would only do what the specs say
>we wouldn't have any DDos. But an attacker can just create an UDP packet
>with that bits and a spoofed address and fire it off (or get a botnet to
>fire it off).
I understand your points, but these risks always be there because DNS response
is larger than the request, like DNSSEC.
How to avoid DNS DDoS is anther problem.
>> Another scenario to illustrate this proposal is under the DANE case:
>> A client wants to visit www.example.com.
>> But this domain name supports DANE can the TLSA record is configured
>> under the domain name: _443._tcp.www.example.com.
>> The client has to query the two names seperately.
>> Yes, it is just one more TTL, but why not to do the optimization with
>> a steerable method.
>Again if example.com is popular almost all the time this record will be
>in the cache already.
Anyway, the cache should get the data fist and then it can cache them.
:-)
>So long
>-Ralf
Zhiwei Yan
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
