[as112-ops] DNSSEC?

Joe Abley jabley at hopcount.ca
Wed Jan 13 12:46:32 UTC 2010


On 2010-01-13, at 07:06, Nick Hilliard wrote:

> On 13/01/2010 00:30, William F. Maton wrote:
>> Is there something to be specifically solved by deploying DNSSEC for AS112?
>> 
>> (just asking to entice some discussion here by the AS112 operators)
> 
> Not wanting to stir personality trouble, but djb's recent presentation on
> dnssec gives rise to some concern:
> 
> http://cr.yp.to/talks/2009.08.10/slides.pdf
> 
> Ignoring the crypto aspect of dnssec, the packet amplification seems a good
> reason to be pretty concerned about implementing dnssec on an anycast system.

There has been amplification potential in DNS servers with UDP transport since the day the first nameserver came on-line. I remember scratching my head over repeated queries for AOL.COM IN MX? when debugging a cache getting on for twenty years ago.

I think it's clear that DNSSEC doesn't provide any additional techniques in this area, although I suppose you could make the argument that it's easier to find a query that will cause good amplification. It's not hard without DNSSEC though, so it's not clear to me that the bar for launching an attack is lowered in any practical sense.


Joe


More information about the as112-ops mailing list