On Tue, May 17, 2016 at 03:44:29PM +0200,
bert hubert wrote
a message of 31 lines which said:
> I expect PowerDNS might extend the root-nx-trust to other domains,
This is what Unbound does (see section 8 of
draft-ietf-dnsop-nxdomain-cut-03).
https://www.unbound.net/documentation/unbound.conf
On Tue, May 17, 2016 at 12:37:11PM +0200,
Johan Ihrén wrote
a message of 56 lines which said:
> It strikes me that this is a case where qname minimization would not
> only help privacy, but also help with this problem as the resulting
> NXDOMAIN will cover the entire non-existent TLD.
Yes, QN
On Mon, May 16, 2016 at 06:35:10PM -0400, Shumon Huque wrote:
> PowerDNS's root-nx-trust is I believe an implementation of what is described
> in nxdomain-cut:
>
> https://tools.ietf.org/html/draft-ietf-dnsop-nxdomain-cut-03
>
> rather than the nsec-aggressive-use or cheese-shop drafts - thos
On Tue, May 17, 2016 at 6:37 AM, Johan Ihrén wrote:
> Hi,
>
> On 17 May 2016, at 11:14 , Peter van Dijk
> wrote:
>
> > On 17 May 2016, at 0:35, Shumon Huque wrote:
> >
> >> On Mon, May 16, 2016 at 5:45 PM, bert hubert >
> >> wrote:
> >>
> >>> It is in fact something you can do today. Some of th
Hi,
On 17 May 2016, at 11:14 , Peter van Dijk wrote:
> On 17 May 2016, at 0:35, Shumon Huque wrote:
>
>> On Mon, May 16, 2016 at 5:45 PM, bert hubert
>> wrote:
>>
>>> It is in fact something you can do today. Some of the largest PowerDNS
>>> Recursor sites in the world run with 'root-nx-trust
On Mon, May 16, 2016 at 09:34:17PM +, Wessels, Duane wrote:
> I think what you're suggesting has already been proposed. See
> https://datatracker.ietf.org/doc/draft-fujiwara-dnsop-nsec-aggressiveuse/ and
> https://datatracker.ietf.org/doc/draft-wkumari-dnsop-cheese-shop/
It is in fact somet
Hello Shumon,
On 17 May 2016, at 0:35, Shumon Huque wrote:
On Mon, May 16, 2016 at 5:45 PM, bert hubert
wrote:
It is in fact something you can do today. Some of the largest
PowerDNS
Recursor sites in the world run with 'root-nx-trust' enabled:
"If set, an NXDOMAIN from the root-servers wi
In article
you
write:
>Why not run a local copy of the root? It should be a good practice for
>large recursives, plus you get better latency.
That's what I'd do, too. It's easy to set up and it avoids a whole
lot of problems. The root zone is still very small, and it's
surprisingly easy to se
Brian Somers wrote:
> Hi folks,
Hi Brian!
> However, during the attack, we also saw a huge number of TCP
> sockets in
> TIME_WAIT talking to root servers (probably all root servers). I’m
> curious if
>
> 1.Are root servers doing some sort of tar pitting where they send a TC
> and then firewal
On Mon, 16 May 2016 14:23:49 -0700, Brian Somers wrote:
>Hi folks,
>
>I work at OpenDNS. We saw a DoS attack in Miami on Friday night around
>10-11:00pm PST, consisting of UDP DNS requests for AAA.BBB.CCC.DDD where each
>of AAA, BBB, CCC and DDD are three digit numbers not greater than 500.
>
>
On Mon, May 16, 2016 at 5:45 PM, bert hubert
wrote:
> On Mon, May 16, 2016 at 09:34:17PM +, Wessels, Duane wrote:
> > Hi Brian,
> >
> > I think what you're suggesting has already been proposed. See
> https://datatracker.ietf.org/doc/draft-fujiwara-dnsop-nsec-aggressiveuse/
> and https://data
On Mon, May 16, 2016 at 09:34:17PM +, Wessels, Duane wrote:
> Hi Brian,
>
> I think what you're suggesting has already been proposed. See
> https://datatracker.ietf.org/doc/draft-fujiwara-dnsop-nsec-aggressiveuse/ and
> https://datatracker.ietf.org/doc/draft-wkumari-dnsop-cheese-shop/
It i
Why not run a local copy of the root? It should be a good practice for
large recursives, plus you get better latency.
Marek
On Mon, May 16, 2016 at 2:34 PM, Wessels, Duane wrote:
> Hi Brian,
>
> I think what you're suggesting has already been proposed. See
> https://datatracker.ietf.org/doc/dr
Hi Brian,
I think what you're suggesting has already been proposed. See
https://datatracker.ietf.org/doc/draft-fujiwara-dnsop-nsec-aggressiveuse/ and
https://datatracker.ietf.org/doc/draft-wkumari-dnsop-cheese-shop/
DW
> On May 16, 2016, at 2:23 PM, Brian Somers wrote:
>
> Hi folks,
>
> I
Hi folks,
I work at OpenDNS. We saw a DoS attack in Miami on Friday night around
10-11:00pm PST, consisting of UDP DNS requests for AAA.BBB.CCC.DDD where each
of AAA, BBB, CCC and DDD are three digit numbers not greater than 500.
Each query was answered with an NXDOMAIN by the root servers,
15 matches
Mail list logo
