On Tue, Mar 26, 2013 at 7:07 PM, Tom Paseka <t...@cloudflare.com> wrote:
> On Tue, Mar 26, 2013 at 7:04 PM, Matthew Petach <mpet...@netflight.com>
> wrote:
>>
>> On Tue, Mar 26, 2013 at 6:06 PM, John Levine <jo...@iecc.com> wrote:
>> >>As a white-hat attempting to find problems to address through legitimate
>> >> means, how
>> >>do you …
>> >
>> > You make friends with people with busy authoritative servers and see
>> > who's querying them.
>>
>> I'm confused.  Don't most authoritative servers have to
>> answer to just about anyone in order to be useful?
>>
>> Matt
>
>
> Authoritative DNS servers need to implement rate limiting. (a client
> shouldn't query you twice for the same thing within its TTL).

OK, but we started this discussion about open recursive resolvers,
right?  Securing your recursive resolvers is a very different problem
space from trying to come up with rate limits for your authoritative
nameservers.

In terms of impacts people are feeling today, is most of the pain
coming from open recursive servers being abused by miscreants,
or from miscreants doing spoofed queries against authoritative
nameservers?

The concern Valdis raised about securing recursives while still
being able to issue static nameserver IPs to mobile devices
is an orthogonal problem to Owen putting rate limiters on
the authoritative servers for he.net.  If we're all lighting up
pitchforks and raising torches, I'd kinda like to know at which
castle we're going to go throw pitchforks.

Matt

Reply via email to