[as112-ops] DNSSEC?

Nick Hilliard nick at inex.ie
Wed Jan 13 22:06:10 UTC 2010


On 13/01/2010 18:59, Paul Vixie wrote:
> see <http://www.icann.org/en/committees/security/sac004.txt>, and consider
> that if we don't solve the BCP38 problem then there are dozens or hundreds
> of other amplification sources besides EDNS.  the internet isn't just HTTP.

There are other sources, yes.  But the two common sources which allow
unauthenticated stateless amplification are dns and ntp.  Other common
protocols have different behaviour: icmp doesn't really amplify a whole
lot, although it is unauthenticated and stateless; snmp is stateless and
will amplify, but is usually authenticated (and firewalled); tcp protocols
can be unauthenticated and will amplify, but they are stateful at the
protocol level and that makes it difficult to create a useful third party
attack.  You don't need these three characteristics to create a ddos, but
when you have the three of them together, they make it much easier.

Anyway, this isn't really germane to the as112-ops list and we all know it
anyway.  Paul, your other email to the list a short time ago is much more
relevant.  Given the loose nature of the as112 project, it would seem
difficult to sign the various domains, and as you note, the value in doing
so is low.

Nick


More information about the as112-ops mailing list