> On 20 Jul 2016, at 06:19, Mark Andrews wrote:
>
>> That's not who DDos work. If attacker would only do what the specs say
>> we wouldn't have any DDos. But an attacker can just create an UDP packet
>> with that bits and a spoofed address and fire it off (or get a botnet to
>> fire it off).
>
In message <36a593c1-1f01-4fe1-bc9a-3279f6460...@rfc1035.com>, Jim Reid writes:
>
> > On 20 Jul 2016, at 06:19, Mark Andrews wrote:
> >=20
> >> That's not who DDos work. If attacker would only do what the specs =
> say
> >> we wouldn't have any DDos. But an attacker can just create an UDP =
> pa
> On 20 Jul 2016, at 08:40, Mark Andrews wrote:
>
> Nameservers make decisions TODAY about what they will put in a message
> based on COOKIES / TCP / UDP and a host of other considerations.
True. But that's orthogonal to the point I was making.
The draft *might* be heading in the direction of
Moin!
On 20 Jul 2016, at 7:34, 延志伟 wrote:
I understand your points, but these risks always be there because DNS
response is larger than the request, like DNSSEC.
Yes, which is why we have several proposals on how to mitigate the
problem by e.g not giving back ALL qtypes to an ANY question, or
Jim,
On 20 Jul 2016, at 9:18, Jim Reid wrote:
It's a bit of a stretch to call that a suggestion and a far bigger one
to claim cookies and/or TCP as a necessary precondition. There's no
language like "clients and servers SHOULD (MUST?) use DNS
cookies/TCP/DNSoverTLS for EXTRA queries and respo
Moin!
On 20 Jul 2016, at 14:36, 延志伟 wrote:
But anyway, let's go back to the scenario considered by our draft to
illustrate its necessity.
I show an example as following (although I think we have described it
several times. :-)):
In order to visit the www.baidu.com, the user has to query
www.ba
Hi, Ralf,
We understand your worries and these negative effects can be fixed or descended
in the next version.
But anyway, let's go back to the scenario considered by our draft to illustrate
its necessity.
I show an example as following (although I think we have described it several
times. :-)
Hi, Ralf, I understand prefetch by the recursive server and it is the common
case.
[https://tools.ietf.org/html/draft-liu-dnsop-dns-cache-00]
But if recursive server asks: give me the a RR and all the related RRs under
your domain. And the authoritative server sends back the requested domain nam
