Vernon Schryver <v...@rhyolite.com> wrote:
> > From: Tony Finch <d...@dotat.at> > > > One of the points of minimal-any is that the answer is not truncated > > because you do not want clients to automatically retry over TCP. > > This is > > to handle situations where many third-party recursive servers > > are under > > attack using one of your names, so the recursive servers are hitting > > your authoritative servers hard. RRL does not work in this case, > > because > > the clients are legitimate recursive servers. You want to give > > them an > > answer asap, that they can cache without hitting TCP. > > On the contrary, as that case is described, RRL works fine, and > this minimal-any mechanism won't help the obvious attack situation > in that might be intended. > > Each legitimate recursive server will ask once per some TTL and > cache the rrsets that it gets. Not if the authoritative server is overloaded and has run out of TCP sockets and is unable to answer the question. The recursive servers will all then be perpetually retrying while the attack continues, so the authoritative servers will never recover from overload. > However, in that case how many legitimate recursive servers will > send ANY requests to authorities? In the case of this attack it was thousands. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn-- zr8h punycode
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
