On 31/07/2024 15.29, Petr Špaček wrote:
Per-zone limit does not defend against resource exhaustion because an attacker can construct chain of delegations a.b.c.d.e...... and max out limit on each level. Then you instantly get about 126*(per-zone limit on validations) just for this particular attack vector.
That's part of why I think the implementations need a different approach (than this RFC, too). Attackers can combine. Do these long delegation chains, and jump through several of them by CNAMEs, and put max. number of RRSIGs everywhere in a way that many fail, etc.
_______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
