On 11/07/2015 23:04, manning wrote:
> the one change i am working on is to obsolete RRsets since they are a
> primary cause of DNS originated DDoS in the Internet.
How do you propose to do that without completely breaking DNSSEC ?
RRSIGs are calculated over entire RRsets, not RRs.
Ray
_
(Hats off )
And some of use Rrsets to do things for their employer that is never best
practice, but necessary evils.
Tim
>From my high tech gadget
> On Jul 12, 2015, at 16:40, Ray Bellis wrote:
>
>> On 11/07/2015 23:04, manning wrote:
>> the one change i am working on is to obsolete RRsets
> the one change i am working on is to obsolete RRsets since they are a primary
> cause of DNS originated DDoS in the Internet.
I thought the primary cause was spoofed source addresses.
Regards,
-drc
signature.asc
Description: Message signed with OpenPGP using GPGMail
Mark,
On Jul 11, 2015, at 3:52 PM, Mark Andrews wrote:
>>> This is why you have working groups not check lists for evaluating.
>>
>> RFC 6761 specifies an IETF "Standards Action" or "IESG Approval", not a
>> working group decision.
>
> That why we have groups of people look at the request. Not
>draft-pfrc-2181-handling-zone-cuts-00 (isn�t this the basis for the dbound
>work?)
Nope. One of the few things we seem to agree on in the dbound group
is that we're not basing anything on zone cuts.
There may be other reasons to update this part of 2181, but dbound
isn't one.
R's,
John
