Dear NSD Users,
Recently, specifically in TLD operator circles, there has been a lot of
discussion on the use of authoritative servers for reflection attacks.
We have been following these discussions with questions about the
core-functionality of DNS, NSD's lean-mean-thus-secure architecture, and
good neighbourship in mind. We considered an external and generic tool to deal
with reflection but assessed that having a method to prevent reflection attacks
within the name server is the best way to lower deployment hurdles. Therefore,
we have decided to incorporate a technique to deal with reflection attacks in
NSD.
The technique is inspired on the work done by Vixie & Schryver [1] but will,
because of biological diversity arguments, differ in some of its implementation
details. Of course, it will be written from scratch by NLnet Labs. In the near
future you may expect a blog-post on http://www.nlnetlabs.nl/blog/ with a
description of the design.
We have prioritized this work and expect to have code available within a few
months.
Thank you for using NSD.
-- Olaf Kolkman
[1] http://ss.vix.com/~vixie/isc-tn-2012-1.txt
NLnet
Labs
Olaf M. Kolkman
www.NLnetLabs.nl
olaf at NLnetLabs.nl
Science Park 400, 1098 XH Amsterdam, The Netherlands
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20121008/7acc3d8b/attachment.htm>