Re: How to Setup DNSSEC
On Oct 16, 2012, at 7:48 PM, pangj wrote: > > $ dig +dnssec udp53.org soa > > ; <<>> DiG 9.6.1-P2 <<>> +dnssec udp53.org soa > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37254 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 11 This problem has been solved. I inserted the DS record last night. :) AlanC -- Alan Clegg | +1-919-355-8851 | a...@clegg.com smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
?????? Re: ?????? Re: Possible DDoS?
Because my server also used to be hacked and send this kind of junk queries and my server was null-routed by the datacenter. The high bandwidth was happened exactly on my server. -Original Message- From: Phil Mayers Sender: bind-users-bounces+xuezxbb=gmail@lists.isc.orgDate: Thu, 18 Oct 2012 00:22:24 To: Subject: Re: 答复: Re: Possible DDoS? On 10/18/2012 12:12 AM, Tony Xue wrote: > > I am pretty sure the sources were hacked because one of my another What makes you think the source IPs were real? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 答复: Re: Possible DDoS?
On 10/18/2012 12:12 AM, Tony Xue wrote: I am pretty sure the sources were hacked because one of my another What makes you think the source IPs were real? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
?????? Re: Possible DDoS?
I used to get the same problem but that was everytime from three or four different source IP and they are all querying "ripe.net IN ANY" for around 10 queries per second. I am pretty sure the sources were hacked because one of my another DNS server also become the source to attack and from the packet can see there're exactly the same type of attack. -Original Message- From: Phil Mayers Sender: bind-users-bounces+xuezxbb=gmail@lists.isc.orgDate: Wed, 17 Oct 2012 23:59:11 To: Subject: Re: Possible DDoS? On 10/17/2012 07:39 PM, Dennis Clarke wrote: > I have the exact same problem with an ip inside State of Colorado > General Government Computer subnet : > > http://whois.arin.net/rest/org/SCGGC That's not exactly a fly-by-night organisation; have you contacted them? > > Some server there has been pounding queries at me at a rate of > 48,000+ a day : Some packets are arriving with that source IP. Big difference. It's possible (likely?) the sources are spoofed, and someone is inducing *you* to bombard that IP with replies (or trying to). > > Queries show up in bunches, while the average is every 1.7 secs I see > dozens of queries all arrive nearly at the same time, then a ten > second pause, then again another burst. > > Makes no sense to me what is going on there. Attacker sends 1 million DNS queries of 100 bytes each, with a spoofed source. DNS server sends 1 million DNS replies of 1000 bytes each to the spoofed IP. 10x amplification, means the attacker can use lower-spec machines to overload a target. Or something is just broken, and the source IPs are real - in which case, contact them. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Possible DDoS?
On 10/17/2012 07:39 PM, Dennis Clarke wrote: I have the exact same problem with an ip inside State of Colorado General Government Computer subnet : http://whois.arin.net/rest/org/SCGGC That's not exactly a fly-by-night organisation; have you contacted them? Some server there has been pounding queries at me at a rate of 48,000+ a day : Some packets are arriving with that source IP. Big difference. It's possible (likely?) the sources are spoofed, and someone is inducing *you* to bombard that IP with replies (or trying to). Queries show up in bunches, while the average is every 1.7 secs I see dozens of queries all arrive nearly at the same time, then a ten second pause, then again another burst. Makes no sense to me what is going on there. Attacker sends 1 million DNS queries of 100 bytes each, with a spoofed source. DNS server sends 1 million DNS replies of 1000 bytes each to the spoofed IP. 10x amplification, means the attacker can use lower-spec machines to overload a target. Or something is just broken, and the source IPs are real - in which case, contact them. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Possible DDoS?
> From time to time I notice a large number of queries like these to one > of my external dns servers: > > 14:14:40.01407 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * > ? > > Does this rise to the level of a DDoS attack? > No NS record for this IP. > I blackhole IPs that behave like this. > Thanks > I have the exact same problem with an ip inside State of Colorado General Government Computer subnet : http://whois.arin.net/rest/org/SCGGC Some server there has been pounding queries at me at a rate of 48,000+ a day : # head -1 named.run 08-Oct-2012 17:40:49.733 now using logging configuration from config file # # grep "^08-Oct-2012" named.run | grep -c "165\.127\.10\.50" 12245 # grep "^09-Oct-2012" named.run | grep -c "165\.127\.10\.50" 48200 # grep "^10-Oct-2012" named.run | grep -c "165\.127\.10\.50" 48198 # grep "^11-Oct-2012" named.run | grep -c "165\.127\.10\.50" 47737 # grep "^12-Oct-2012" named.run | grep -c "165\.127\.10\.50" 48345 # grep "^13-Oct-2012" named.run | grep -c "165\.127\.10\.50" 48810 # grep "^14-Oct-2012" named.run | grep -c "165\.127\.10\.50" 48385 # grep "^15-Oct-2012" named.run | grep -c "165\.127\.10\.50" 48429 # grep "^16-Oct-2012" named.run | grep -c "165\.127\.10\.50" 48768 Thus far today : # grep "^17-Oct-2012" named.run | grep -c "165\.127\.10\.50" 37279 Queries show up in bunches, while the average is every 1.7 secs I see dozens of queries all arrive nearly at the same time, then a ten second pause, then again another burst. Makes no sense to me what is going on there. Dennis ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Possible DDoS?
Thanks So that is why there are usually no NS records? -Original Message- From: Chuck Swiger [mailto:cswi...@mac.com] Sent: Wednesday, October 17, 2012 2:31 PM To: Manson, John Cc: bind-users@lists.isc.org Subject: Re: Possible DDoS? Hi-- On Oct 17, 2012, at 11:17 AM, Manson, John wrote: > From time to time I notice a large number of queries like these to one of my > external dns servers: > > 14:14:40.01407 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ? > [ ... ] > 14:14:40.98668 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ? > 14:14:40.99417 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ? > > Does this rise to the level of a DDoS attack? > No NS record for this IP. > I blackhole IPs that behave like this. That sure looks to be a DNS-based DDoS. Note that IP 121.10.105.66 is actually the victim being attacked-- the attackers forge that address and make queries which send lots of traffic to it. Blackholing them on your side will mitigate against the DDoS, but also break any legitimate traffic which they might send. (They can always use public DNS servers like 4.2.2.1 or 8.8.8.8 if they need to, though, so don't worry about legit requests from them too much.) Regards, -- -Chuck ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to Setup DNSSEC
babu dheen wrote: > > All users in our company using internal DNS server for name resolution. > All internal DNS server are pointed to our gateway recursive BIND name > server which is responsible for getting DNS queries from authoritative > internet DNS server. > > Now we would like to configure DNSSEC on my gateway DNS and internal DNS > server. For recursive DNSSEC, I recommend BIND 9.8 or newer, since then you don't have to mess around with getting the root trust anchor. Once you have a recent version of the software, check your network isn't broken using a DNS reply size tester such as https://www.dns-oarc.net/oarc/services/replysizetest/ If large UDP packets and TCP/53 get through OK, then you can go ahead and add the following to the options section of your nameserver configuration: dnssec-validation auto; dnssec-lookaside auto; And that's it. Tony. -- f.anthony.n.finchhttp://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Possible DDoS?
Hi-- On Oct 17, 2012, at 11:17 AM, Manson, John wrote: > From time to time I notice a large number of queries like these to one of my > external dns servers: > > 14:14:40.01407 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ? > [ ... ] > 14:14:40.98668 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ? > 14:14:40.99417 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ? > > Does this rise to the level of a DDoS attack? > No NS record for this IP. > I blackhole IPs that behave like this. That sure looks to be a DNS-based DDoS. Note that IP 121.10.105.66 is actually the victim being attacked-- the attackers forge that address and make queries which send lots of traffic to it. Blackholing them on your side will mitigate against the DDoS, but also break any legitimate traffic which they might send. (They can always use public DNS servers like 4.2.2.1 or 8.8.8.8 if they need to, though, so don't worry about legit requests from them too much.) Regards, -- -Chuck ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Possible DDoS?
>From time to time I notice a large number of queries like these to one of my >external dns servers: 14:14:40.01407 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ? 14:14:40.01529 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ? 14:14:40.03688 121.10.105.66 -> 143.231.1.67 DNS C house.gov. Internet * ? 14:14:40.06047 121.10.105.66 -> 143.231.1.67 DNS C house.gov. Internet * ? 14:14:40.08370 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ? 14:14:40.11990 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ? 14:14:40.17595 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ? 14:14:40.17732 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ? 14:14:40.17782 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ? 14:14:40.19381 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ? 14:14:40.20723 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ? 14:14:40.21655 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ? 14:14:40.21857 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ? 14:14:40.22005 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ? 14:14:40.23128 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ? 14:14:40.23353 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ? 14:14:40.24827 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ? 14:14:40.25276 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ? 14:14:40.26750 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ? 14:14:40.26775 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ? 14:14:40.26787 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ? 14:14:40.26837 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ? 14:14:40.26937 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ? 14:14:40.27911 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ? 14:14:40.28023 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ? 14:14:40.30558 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ? 14:14:40.30562 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ? 14:14:40.33555 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ? 14:14:40.35478 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ? 14:14:40.36840 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ? 14:14:40.37102 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ? 14:14:40.37526 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ? 14:14:40.44820 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ? 14:14:40.48304 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ? 14:14:40.49140 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ? 14:14:40.49765 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ? 14:14:40.50189 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ? 14:14:40.53498 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ? 14:14:40.53885 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ? 14:14:40.56207 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ? 14:14:40.57419 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ? 14:14:40.59804 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ? 14:14:40.64661 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ? 14:14:40.65460 121.10.105.66 -> 143.231.1.67 DNS C houselive.gov. Internet * ? 14:14:40.66985 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ? 14:14:40.67022 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ? 14:14:40.69244 121.10.105.66 -> 143.231.1.67 DNS C houselive.gov. Internet * ? 14:14:40.70905 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ? 14:14:40.72203 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ? 14:14:40.72702 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ? 14:14:40.74125 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ? 14:14:40.74662 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ? 14:14:40.76813 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ? 14:14:40.77012 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ? 14:14:40.77150 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ? 14:14:40.77250 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ? 14:14:40.77624 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ? 14:14:40.78025 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ? 14:14:40.79958 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ? 14:14:40.80271 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ? 14:14:40.81845 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ? 14:14:40.82319 121.10.105.66 -> 143.231.1.67 DNS C speaker.gov. Internet * ? 14:14:40.82321 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ? 14:14:40.82968 121.10.105.66 -> 143.231.1.67 DNS C gop.gov. Internet * ? 14:14:40.84142 121.10.105.66 -> 143.231.1.67
RE: about DNS RRL
>> You're thinking that the rate limit is intended to protect YOUR server. >> It's actually to prevent your server from being used as a reflector to >> attack some OTHER server. The spoofed addresses all point to that >> server. >Sorry I just can't understand that why my server is being used to attack >other's servers? People (bad people) spoof a query source (the victims address) and fire a query at your server. If your server allows queries from the Internet (etc), then it will reply to the victim. Generally speaking, the query is smaller than the reply, so the attacker uses your server to amplify the attack, which is why this is a DNS amplification attack. If you do this at 50qps from 10,000 botnet servers, you can generate a lot of traffic very easily, for a very small investment. This attack relies on open resolvers on the internet, so if you don't need your DNS server to be queried by the entire internet, throw an ACL in front of it/on it and limit who can talk to you. Because I like pictures, here's a simple one to show what I'm getting at: http://infosecurity.jp/wp-content/uploads/2011/02/113.jpg Hope that helps. t. - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: about DNS RRL
> In article , > pangj wrote: > >> I have read the document of redbarn RRL for BIND and this NSD RRL: >> https://www.nlnetlabs.nl/blog/2012/10/11/nsd-ratelimit/ >> >> I have a question that, since the DDoS to DNS are coming from spoofed >> IPs. But RRL is working based on source IP. So how can it stop the real >> life attack? > > You're thinking that the rate limit is intended to protect YOUR server. > It's actually to prevent your server from being used as a reflector to > attack some OTHER server. The spoofed addresses all point to that > server. > > Sorry I just can't understand that why my server is being used to attack other's servers? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNS accept filter
I'm not sure if this is of interest to anyone, but I wrote a FreeBSD accept filter for DNS a few years ago. An accept filter is a socket option that you can use to tell the kernel to wait before the accept() syscall returns. In this case, the accept filter delays the return of accept until there is a full DNS request in the buffer. Named already tries to use FreeBSD's data-ready accept filter, but I've been using the patch below to make it use the DNS filter, if it is available. Would be interest in taking this into the BIND tree? David. (Note, to use the filter, you have to patch named and load the kernel module, "kldload accf_dns", and then restart named.) Index: bin/named/interfacemgr.c === RCS file: /home/ncvs/src/contrib/bind9/bin/named/interfacemgr.c,v retrieving revision 1.8 diff -u -r1.8 interfacemgr.c --- bin/named/interfacemgr.c5 Apr 2012 04:29:35 - 1.8 +++ bin/named/interfacemgr.c17 Oct 2012 13:00:13 - @@ -328,7 +328,9 @@ * If/when there a multiple filters listen to the * result. */ - (void)isc_socket_filter(ifp->tcpsocket, "dataready"); + if (isc_socket_filter(ifp->tcpsocket, "dnsready") != ISC_R_SUCCESS) + isc_socket_filter(ifp->tcpsocket, "dataready"); + result = ns_clientmgr_createclients(ifp->clientmgr, ifp->ntcptarget, ifp, ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Solaris 11 and BIND 64-bit
Anybody have had any luck to get the latest BIND 9.9.2 to compiled on Solaris 11 SPARC to support 64-bit binaries? I have tried with both GCC version 4.5.2 and Solaris Studio 12.3. Everything configure, link and compile fine, but when I try to run named or dig I get core dumps. Not sure if the same hold true on x86-64 platforms. Any insight/help in this will be appreciated. Regards -- --- Jaco Lesch SAIX HLS Email: ja...@saix.net ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: about DNS RRL
In article , pangj wrote: > I have read the document of redbarn RRL for BIND and this NSD RRL: > https://www.nlnetlabs.nl/blog/2012/10/11/nsd-ratelimit/ > > I have a question that, since the DDoS to DNS are coming from spoofed > IPs. But RRL is working based on source IP. So how can it stop the real > life attack? You're thinking that the rate limit is intended to protect YOUR server. It's actually to prevent your server from being used as a reflector to attack some OTHER server. The spoofed addresses all point to that server. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: about DNS RRL
On 10/17/2012 09:17 AM, pangj wrote: I have read the document of redbarn RRL for BIND and this NSD RRL: https://www.nlnetlabs.nl/blog/2012/10/11/nsd-ratelimit/ I have a question that, since the DDoS to DNS are coming from spoofed IPs. But RRL is working based on source IP. So how can it stop the real life attack? It doesn't stop it (indeed, can't). It mitigates the impact. The DDoS tend to come from a fixed set of spoofed source at any one time. RRL helps, in that it: 1. punts early in the path, lowering resolver CPU use, and 2. returns a minimal response, which prevents amplification. Remember the DDoS is actually directed at the spoofed source, not the DNS server. The DNS server is merely an unwilling participant. RRL helps prevent that participation. There is, as I understand it, some spotty evidence that the attackers will move to a different server if RRL seems to be in use. How this happens I don't know - maybe they probe with real IPs? - but I've heard others emphatically claim this is not the case, and attackers will continue to blindly flail at you until the attacking node goes down. The only solution to these kinds of attacks is for providers to implement BCP 38, and for upstream providers to start de-peering providers who don't. I rate this about as likely as... a very unlikely thing. S/RTBH can help the DNS provider, if they're being overwhelmed and their upstream supports it. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
about DNS RRL
I have read the document of redbarn RRL for BIND and this NSD RRL: https://www.nlnetlabs.nl/blog/2012/10/11/nsd-ratelimit/ I have a question that, since the DDoS to DNS are coming from spoofed IPs. But RRL is working based on source IP. So how can it stop the real life attack? Thanks. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to Setup DNSSEC
At 21:10 16-10-2012, pangj wrote: IMO, a resolver will have the ability to get the public key of a ZSK for validating the signed RR. How will it get this public key? And, is the usage of a KSK similiar to the CA certificate? See http://www.nlnetlabs.nl/publications/dnssec_howto/ Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users