rec: Change spoof-nearmiss-max default to 1 #9845
Labels
Milestone
Comments
omoerbeek
added a commit
to omoerbeek/pdns
that referenced
this issue
Feb 10, 2021
7 tasks
chbruyand
pushed a commit
to chbruyand/pdns
that referenced
this issue
Mar 9, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
ShortdescriptionThe
spoof-nearmiss-maxsetting defaults to20. In light of the SAD DNS attack bringing attention to this issue, it might be nice to change it to1(and perhaps even hardcode it in a later release).I'm not sure if anyone remembers why
20was chosen (in like 2006).The question is if there are any downsides to changing it. Getting some large resolvers to experiment first might help answer that.
With the changes in #9744, I believe the design now matches Knot Resolver, which also uses
1(and hardcodes it, I think).From a coolness and marketing perspective, using Knot's analysis, using 1 totally mitigates the SAD DNS attack, while using 20 almost totally mitigates the attack, which doesn't sound as good.
Usecase
SAD DNS attack mitigation and consistency with Knot Resolver.
The text was updated successfully, but these errors were encountered: