Andreas Schulze
2013-Jan-17 12:00 UTC
[nsd-users] concepts against amplification using dnssec
Hello, Lutz Donnerhacke implemented DNS-Dampening. http://lutz.donnerhacke.de/eng/Blog/DNS-Dampening The implementation is available as patch for BIND9 only. He told me that there is an other method preferred by the nsd developer. It's called "Response Rate Limiting". May one describe the idea behind rate limiting and compare it with Lutz' solution? Thanks. -- Andreas Schulze Internetdienste | P252 DATEV eG 90329 N?rnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196 E-Mail info @datev.de | Internet www.datev.de Sitz: 90429 N?rnberg, Paumgartnerstr. 6-14 | Registergericht N?rnberg, GenReg Nr.70 Vorstand Prof. Dieter Kempf (Vorsitzender) Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender) Dipl.-Kfm. Michael Leistenschneider Dipl.-Kfm. Dr. Robert Mayr J?rg Rabe v. Pappenheim Dipl.-Vw. Eckhard Schwarzer Vorsitzender des Aufsichtsrates: Reinhard Verholen
Jan-Piet Mens
2013-Jan-17 12:21 UTC
[nsd-users] concepts against amplification using dnssec
> He told me that there is an other method preferred by the nsd developer. > It's called "Response Rate Limiting".I think you're probably looking for [1], which is (loosely) based on the RRL patches for BIND9. -JP [1] http://www.nlnetlabs.nl/blog/2012/10/11/nsd-ratelimit/