You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The spoof-nearmiss-max setting defaults to 20. In light of the SAD DNS attack bringing attention to this issue, it might be nice to change it to 1 (and perhaps even hardcode it in a later release).
I'm not sure if anyone remembers why 20 was chosen (in like 2006).
The question is if there are any downsides to changing it. Getting some large resolvers to experiment first might help answer that.
With the changes in #9744, I believe the design now matches Knot Resolver, which also uses 1 (and hardcodes it, I think).
From a coolness and marketing perspective, using Knot's analysis, using 1 totally mitigates the SAD DNS attack, while using 20 almost totally mitigates the attack, which doesn't sound as good.
Usecase
SAD DNS attack mitigation and consistency with Knot Resolver.
The text was updated successfully, but these errors were encountered:
ShortdescriptionThe
spoof-nearmiss-max
setting defaults to20
. In light of the SAD DNS attack bringing attention to this issue, it might be nice to change it to1
(and perhaps even hardcode it in a later release).I'm not sure if anyone remembers why
20
was chosen (in like 2006).The question is if there are any downsides to changing it. Getting some large resolvers to experiment first might help answer that.
With the changes in #9744, I believe the design now matches Knot Resolver, which also uses
1
(and hardcodes it, I think).From a coolness and marketing perspective, using Knot's analysis, using 1 totally mitigates the SAD DNS attack, while using 20 almost totally mitigates the attack, which doesn't sound as good.
Usecase
SAD DNS attack mitigation and consistency with Knot Resolver.
The text was updated successfully, but these errors were encountered: