Doug Barton <do...@dougbarton.us> wrote: > I think this is a bad idea generally, and that RRL is a better solution to the > amplification vector issue.
RRL and minimal-any address different problems. My servers have been using RRL for many years and it works very nicely at dealing with spoofed UDP attacks directed at my auth servers. I implemented and deployed minimal-any to reduce TCP overload problems. If many legitimate recursive servers are being abused as amplifiers, using a name hosted by my authoritative servers, my auth servers can get overloaded with too much TCP traffic. With minimal-any, the recursive servers get answers over UDP, populate their caches, and go away happy. Cloudflare's reason for deploying minimal-any is also unrelated to RRL. On their servers it is very expensive to assemble an ANY response. It is much simpler and cheaper for them to satisfy queries with a synthetic response than waste effort on a traditional full-fat answer. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode Hebrides, Bailey: Cyclonic becoming southwest, 5 or 6. Rough, occasionally very rough. Occasional rain. Good, occasionally poor. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
