Open Resolver Problems

• Previous message (by thread): Open Resolver Problems
• Next message (by thread): Open Resolver Problems
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2013-03-25, at 16:51, Måns Nilsson <mansaxel at besserwisser.org> wrote:

> I've successfully applied the Redbarn patches to my BIND, and I expect
> the NSD rate-control to be of similar quality, or better.

We've formed the opinion at ICANN that the observed reaction to reflection attacks by BIND9 + Schryver/Vixie RRL is definitely different from NSD + NSD-RRL, but we don't yet know whether either one is better.

Dave Knight is busy building a test lab at DNS-OARC so he can replay identical attack traffic against BIND9, NSD and knot with equivalent RRL configurations to observe their behaviour. The source data he's using initially is from a reflection attack against L-Root that landed in Hamburg; if others here have full pcaps of similar events and are interested in comparing the reactions to it from those three nameservers, let me know and I can put you in touch.

Dave plans to talk about his methodology and findings at the DNS-OARC workshop in Dublin in May (assuming his presentation proposal is accepted).

(The DNS-OARC workshop is cojoined with the RIPE meeting, for those who are DNS-curious and haven't already considered a couple of extra days of DNS fun alongside the RIPE meeting they were already planning to attend.)


Joe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20130325/aee4b244/attachment.sig>

• Previous message (by thread): Open Resolver Problems
• Next message (by thread): Open Resolver Problems
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]