On Thu, May 07, 2015 at 09:11:53AM -0700, 神明達哉 wrote: > According to Section 7.2.4.1 of draft-ietf-dnsop-cookies-01, the server > will still return the full size of response, so the attack will still be > effective.
Subject to rate limiting restraints, yes. BIND's experimental SIT implementation exempts clients from rate limiting if they have a valid cookie, but not otherwise. The cookie is more of a way for legitimate client traffic to be privileged, than for attack traffic to be mitigated; we have other mechanisms in place to handle mitigation. That said, however, I like the idea of adding the TC=1 response to the protocol specification as a MAY. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop