On Fri, Feb 5, 2016 at 10:10 PM, Tony Finch <d...@dotat.at> wrote: > Last weekend one of our authoritative name servers > (authdns1.csx.cam.ac.uk) suffered a series of DoS attacks which made it > rather unhappy. Over the last week I have developed a patch for BIND to > implement draft-ietf-dnsop-refuse-any which should allow us to handle > ANY flood attacks better. http://fanf.livejournal.com/140566.html > > I still have a potential problem with RRSIG queries, which work a lot like > ANY queries. Cloudflare's approach is to simply refuse them, which makes a > lot of sense because RRSIG queries don't have the same interop concerns as > ANY queries. However, in an attack like the ones we had last weekend where > the queries arrived at our authoritative servers from lots of real > recursive servers, a refusal will cause retries and make the attack worse. > > Would it be reasonable as an alternative to follow the refuse-any approach > and just return the RRSIG(s) for one RRset? If so, I think this suggestion > should be included in the draft. > > For all you care you an even return a forged RRSIG/SIG i.e. one that is made up on the fly just make sure it covers a non existing TYPE :-)
Olafur
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop