On Jul 31, 2024, at 09:29, Petr Špaček <pspa...@isc.org> wrote: > > On 30. 07. 24 9:41, libor.peltan wrote: >> 2) I would still vote for allowing one keytag collision per zone (not per >> whole chain-of-trust, like Bind does) instead of none. This would be more >> comfortable for many older/simpler signers and not too much additional work >> for validating resolvers, IMHO. > > Per-zone limit does not defend against resource exhaustion because an > attacker can construct chain of delegations a.b.c.d.e...... and max out limit > on each level. Then you instantly get about 126*(per-zone limit on > validations) just for this particular attack vector.
Rate limit these at 10/sec ? Will allow random cases to work but will stop ddos. > I agree with the angle that silent flag day has happened already. It's just > undocumented (in form of RFC). People can still fix their too harsh code 😜 > I agree with both of you. This is very small piece of the puzzle and IMHO not > worth a standalone document - the overhead is too large. > > I could see value in a document "here's list of ideas to think about if you > are trying to defend against resource exhaustion" - in DNSSEC and DNS in > general. Yes Paul _______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
