[161705] in North American Network Operators' Group
Re: Open Resolver Problems
daemon@ATHENA.MIT.EDU (Joe Abley)
Mon Mar 25 16:59:36 2013
From: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <20130325205106.GA9242@besserwisser.org>
Date: Mon, 25 Mar 2013 16:59:25 -0400
To: =?iso-8859-1?Q?M=E5ns_Nilsson?= <mansaxel@besserwisser.org>
Cc: "nanog@nanog.org Group" <nanog@nanog.org>, ahebert@pubnix.net
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--Apple-Mail=_4047DA1F-E9B4-4C13-8645-436C1FA92D9D
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=iso-8859-1
On 2013-03-25, at 16:51, M=E5ns Nilsson <mansaxel@besserwisser.org> =
wrote:
> I've successfully applied the Redbarn patches to my BIND, and I expect
> the NSD rate-control to be of similar quality, or better.
We've formed the opinion at ICANN that the observed reaction to =
reflection attacks by BIND9 + Schryver/Vixie RRL is definitely different =
from NSD + NSD-RRL, but we don't yet know whether either one is better.
Dave Knight is busy building a test lab at DNS-OARC so he can replay =
identical attack traffic against BIND9, NSD and knot with equivalent RRL =
configurations to observe their behaviour. The source data he's using =
initially is from a reflection attack against L-Root that landed in =
Hamburg; if others here have full pcaps of similar events and are =
interested in comparing the reactions to it from those three =
nameservers, let me know and I can put you in touch.
Dave plans to talk about his methodology and findings at the DNS-OARC =
workshop in Dublin in May (assuming his presentation proposal is =
accepted).
(The DNS-OARC workshop is cojoined with the RIPE meeting, for those who =
are DNS-curious and haven't already considered a couple of extra days of =
DNS fun alongside the RIPE meeting they were already planning to =
attend.)
Joe=
--Apple-Mail=_4047DA1F-E9B4-4C13-8645-436C1FA92D9D
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
iEYEARECAAYFAlFQuq0ACgkQNI8MvYZSOix40gCgwhZWQirPL5buUchpSpPo3vVl
61MAn2qPlp+026a6PVTCF7N9OfrYjFdT
=P63w
-----END PGP SIGNATURE-----
--Apple-Mail=_4047DA1F-E9B4-4C13-8645-436C1FA92D9D--
