It appears that Petr � pa� ek <pspa...@isc.org> said: >TL;DR is: > >RFC 4035 section 5.3.3. Checking the Signature >has a MUST loop doing crypto operations over product of #DNSKEY * #RRSIG >set (for matching key tags), and this can be damn expensive. > >Of course we should have listened to RFC 1034 page 35 "limit amount of >work" advice ...
There are innumerable ways that a DNS server can return answers that ask the client to do an unreasonable amount of work. This one is unusual in that the work all happens at once while processing the response, but so what, make sure you limit the number of times through each processing loop. At contacts.abuse.net I have a little DNS server that lets you look up contact info, e.g. example.com.contacts.abuse.net will give you the info for example.com in TXT records. A few client systems hammer on it with odd queries like one that seemed to be looking up every name in the .AT TLD. So they get a special response, a referral with 10 NS records, each with a name they can look up to get 25 pseudo-random A or AAAA records. I figured this would provoke complaints, so I could tell them to cut it out. But it hasn't, so that's evidently something they've limited so it doesn't matter. R's, John
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
