[as112-ops] DNSSEC?

Shane Kerr shane at isc.org
Wed Jan 13 13:18:51 UTC 2010


Nick,

On Wed, 2010-01-13 at 12:54 +0000, Nick Hilliard wrote:
> On 13/01/2010 12:46, Joe Abley wrote:
> > I think it's clear that DNSSEC doesn't provide any additional techniques
> > in this area, although I suppose you could make the argument that it's
> > easier to find a query that will cause good amplification. It's not hard
> > without DNSSEC though, so it's not clear to me that the bar for
> > launching an attack is lowered in any practical sense.
> 
> There's nothing new or revolutionary here.  It's just the amplification
> factor of 30x which is cause for concern.

My reading of this paper:

http://www.securiteam.com/securityreviews/5GP0L00I0W.html

Indicates the main cause of problems is EDNS, not DNSSEC.

Amplification factor of much more than 30x is possible with EDNS,
although if AS112 zones were signed with a smallish key probably much
less for them.

I'd say that DNS amplification is not a large factor to consider when
signing these junk zones.

--
Shane



More information about the as112-ops mailing list