[as112-ops] DNSSEC?
Shane Kerr
shane at isc.org
Wed Jan 13 13:18:51 UTC 2010
Nick,
On Wed, 2010-01-13 at 12:54 +0000, Nick Hilliard wrote:
> On 13/01/2010 12:46, Joe Abley wrote:
> > I think it's clear that DNSSEC doesn't provide any additional techniques
> > in this area, although I suppose you could make the argument that it's
> > easier to find a query that will cause good amplification. It's not hard
> > without DNSSEC though, so it's not clear to me that the bar for
> > launching an attack is lowered in any practical sense.
>
> There's nothing new or revolutionary here. It's just the amplification
> factor of 30x which is cause for concern.
My reading of this paper:
http://www.securiteam.com/securityreviews/5GP0L00I0W.html
Indicates the main cause of problems is EDNS, not DNSSEC.
Amplification factor of much more than 30x is possible with EDNS,
although if AS112 zones were signed with a smallish key probably much
less for them.
I'd say that DNS amplification is not a large factor to consider when
signing these junk zones.
--
Shane
More information about the as112-ops
mailing list