Packet size is harder to analyze. ANY often pulls some records that
aren't used, and if the site isn't configured carefully then ANY can
even end up falling back to TCP, costing bytes _and_ packets. On the
other hand, there are a huge number of Internet sites that don't have a
noticeable volume of
On Jun 28, 2012, at 2:35 PM, Paul Vixie wrote:
> On 6/28/2012 7:10 PM, Michael Graff wrote:
>>
>> "BCP 38" Enough said.
>
> what does that mean?
It means that time and time again, either sufficient mass must implement a
feature like this, or it is effectively
On Jun 28, 2012, at 1:55 PM, Paul Vixie wrote:
> we are now in the post-apocalyptic road-warrior phase of non-DNSSEC's
> history. it's difficult for me to imagine anyone choosing to remain an attack
> amplifier when they could instead sign their zones. but you're entirely right
> about the trad
On Jun 28, 2012, at 1:37 PM, Vernon Schryver wrote:
>
> A separate aspect of this supposedly much, much longer window is that
> it seems to assume that after the client has received a truncated or
> TC=1 response and is going through the DNS/TCP dance, it will still
> accept forged, evil DNS/UDP
On Jun 28, 2012, at 9:06 AM, Vernon Schryver wrote:
>
> That conclusion does not hold, because it does not define the narrow
> window alternative. 11 times as wide as what?
With a slip factor of 2, every other packet will be dropped, and the other
packets returned will have the truncated bit s
Yes, but also this. (expanded from "feel")
It may also make Kaminsky style attacks easier if an attacker can blind an auth
server from handing out responses. If the counter values are real from the RFC
style paper, every other response becomes a truncated reply in a flood
situation. This wil
On Jun 28, 2012, at 12:10 AM, Paul Vixie wrote:
> DNS RRL looks for unnatural similarities in a
> flow, and limits the rate accordingly. it will not stop a random-sourced
> attack nor a widely-reflected attack, but it has been shown to stop
> targetted attacks using a small number of reflectors.
So if enough people stopped answering users of qmail might change the field,
even if the author won't change the code.
--Michael (from an iPhone)
On Jun 10, 2012, at 5:29, sth...@nethelp.no wrote:
>> Clue appreciated, thanks!
>
> One word: qmail. Google "qmail dns any query".
>
> It would a
