Self sign-up has been disabled due to increased spam activity. If you want to get access, please send an email to a project owner (preferred) or at gitlab(at)nic(dot)cz. We apologize for the inconvenience.
@@ -42,7 +42,7 @@ This feature is especially useful when another implementation is used to sign th
...
@@ -42,7 +42,7 @@ This feature is especially useful when another implementation is used to sign th
## Minimization of answers on ANY and RRSIG queries
## Minimization of answers on ANY and RRSIG queries
Previously, querying the server for ANY or RRSING types lead to an answer with as many RRSets as exist for the queried name. This resulted in a high answer-to-query size ratio which could be abused in amplification attacks.
Previously, querying the server for ANY or RRSIG types lead to an answer with as many RRSets as exist for the queried name. This resulted in a high answer-to-query size ratio which could be abused in amplification attacks.
Because the legitimate use of such queries is low, it's preferable to answer them a minimized way, according to RFC 8482. Knot DNS answers those queries with just one, arbitrarily chosen type (partially since version 2.9.4, fully since 3.0). Therefore, the amplification factor isn't any higher than querying a specific RR type.
Because the legitimate use of such queries is low, it's preferable to answer them a minimized way, according to RFC 8482. Knot DNS answers those queries with just one, arbitrarily chosen type (partially since version 2.9.4, fully since 3.0). Therefore, the amplification factor isn't any higher than querying a specific RR type.