Reply to comment:
Geoff Huston •
This is not a "newly discovered vulnerability." Florian Maury on ANSSI identified a potential query amplification issue with glueless delegations back in 2015 and presented it to the DNS OARC 21 meeting in May of that year. His presentation can be found at https://indico.dns-oarc.net/event/21/contributions/301/attachments/272/492/slides.pdf. The presentation notes that patches for Bind, Unbound and PowerDNS recursive resolvers were released back in December 2014, while the generic advice for resolver implementations to limit the amount of work performed to respond to a query was contained in RFC 1034, published in 1987. So credit where credit is due -- we should acknowledge Florian Maury for his work on this over five years ago, and also acknowledge Paul Mockapetris for alerting DNS resolver implementers to the possibility of encountering unbounded work flows back in 1987 when he wrote RFC1034!