Moin! On Wed, Mar 25, 2015 at 10:11:55PM +0000, Darcy Kevin (FCA) wrote: > Intriguing. I think there might be a temptation to take this idea one step > further and say that preference should be given to the *smallest* RRset > possible -- to reduce the degree of amplification. But that would be a > mistake. It would, for instance, discriminate IPv4 over IPv6 (since A > records are smaller than AAAA records) and certain services over others > (SRV records are larger than MX records are larger than A records). You can make an A record response that is a lot larger than an AAAA response, as you reply with an RRSET that can hold a lot of A records. That is the currently very popular with attackers that create purpose build amplification domains.
> When > the client doesn't get the RRset it wants from the QTYPE=* query, it'll > follow up with one or more subsequent queries for the type(s) it cares > about. Not very efficient, and the end result is more "amplification" > than was hoped for. I think we agreed long ago somewhere in this threat that all of this will not help with reducing amplification attacks. Other than that I think it could work, as ANY != ALL ;-). So long -Ralf _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop