[cabfpub] CAA records on opera.com
Adam Langley
agl at google.com
Wed Jul 24 15:43:06 UTC 2013
On Wed, Jul 24, 2013 at 6:03 AM, Sigbjørn Vik <sigbjorn at opera.com> wrote:
> Adding the records increased our
> authoritative nameserver's DNS response from an already juicy 458 bytes to
> supreme juicyness of 506 bytes (512 bytes is still somewhat of the limit,
> at the very least resource usage will increase when topping that).
You're correct that your amplification factor is determined by the
largest response that an attacker can elicit, but you are not required
to return all records in response to an ANY query. You can also set
the truncated bit if you are uncomfortable with the size of your
reply.
Cheers
AGL
More information about the Public
mailing list