Stephane Bortzmeyer <bortzme...@nic.fr> wrote: > > Why not also when cookies are used? Like TCP, they protect against > reflection attacks.
My reason for deploying minimal-any was not for direct reflection attacks, because RRL already deals with direct reflection attacks. I wanted to avoid sending truncated UDP responses to legit resolvers. When lots of legit recursive resolvers are being attacked with ANY queries for one of my zones, I don't want them to hammer my authoritative servers with TCP connections. So, minimal-any means they go away happy with a small answer, and everything stays on UDP. Eventually I expect legit resolvers to deploy cookies, and I still want to send them small answers to avoid TCP when an ANY attack happens. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode Forties, Cromarty, Forth: Southwest 5 or 6, decreasing 4 at times. Slight or moderate, occasionally rough at first in Forties. Fair. Good. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
