[nsd-users] NSD and DNSSEC signature refreshing and ZSK rotation
Paul Wouters
paul at nohats.ca
Thu Feb 15 19:25:11 UTC 2018
On Thu, 15 Feb 2018, Michael A. Peters wrote:
> I believe the fear was abuse in DDoS amplification attacks.
That is addressed with DNS-COOKIES and RRL:
https://tools.ietf.org/html/rfc7873
https://kb.isc.org/article/AA-01000/0/A-Quick-Introduction-to-Response-Rate-Limiting.html
And of course, one can use ECC based algorithms to reduce the remaining
amplification. DNS software is getting pretty good at reducing this
harm. Good enough to not use 1024 bit RSA anymore.
Paul
More information about the nsd-users
mailing list