On Fri, Mar 29, 2013 at 09:54:31PM +0900, Daisuke HIGASHI <daisuke.higashi at gmail.com> wrote a message of 199 lines which said: > "max-udp-size" is almost exactly same as BIND9's. Very good idea. I note that NSD has two parameters for that, one for IPv4 responses and one for IPv6 (to deal with MTU issues). I wonder if it's worth the complexity? > ACL action "allow_minimal" is like "allow" but limits UDP response > size up to 512 bytes. Essentially it limits amplification rate of > DNS traffic reflection attack more aggressively. Very good idea.