On Tue, Mar 26, 2013 at 7:07 PM, Tom Paseka <t...@cloudflare.com> wrote: > On Tue, Mar 26, 2013 at 7:04 PM, Matthew Petach <mpet...@netflight.com> > wrote: >> >> On Tue, Mar 26, 2013 at 6:06 PM, John Levine <jo...@iecc.com> wrote: >> >>As a white-hat attempting to find problems to address through legitimate >> >> means, how >> >>do you … >> > >> > You make friends with people with busy authoritative servers and see >> > who's querying them. >> >> I'm confused. Don't most authoritative servers have to >> answer to just about anyone in order to be useful? >> >> Matt > > > Authoritative DNS servers need to implement rate limiting. (a client > shouldn't query you twice for the same thing within its TTL).
OK, but we started this discussion about open recursive resolvers, right? Securing your recursive resolvers is a very different problem space from trying to come up with rate limits for your authoritative nameservers. In terms of impacts people are feeling today, is most of the pain coming from open recursive servers being abused by miscreants, or from miscreants doing spoofed queries against authoritative nameservers? The concern Valdis raised about securing recursives while still being able to issue static nameserver IPs to mobile devices is an orthogonal problem to Owen putting rate limiters on the authoritative servers for he.net. If we're all lighting up pitchforks and raising torches, I'd kinda like to know at which castle we're going to go throw pitchforks. Matt
