[dns-operations] EDNS0
william(at)elan.net
william at elan.net
Wed Mar 1 05:39:48 UTC 2006
On Wed, 1 Mar 2006, Mark Andrews wrote:
> As DNSSEC is deployed finding a 3+k authoritative response
> will be about as easy as finding a 500 byte response is
> today. You will be able to do the attack w/o needing the
> recursive servers.
That doesn't make me feel whole lot better ... (in fact this confirms
my worst fears about how easy it is to abuse simple UDP query/response
protocols like DNS)
So obvious next question is what does internet operational and/or
engineering folks plan to do so as to prevent amplification attack
abuse of DNSSEC servers when these do get deployed?
--
William Leibzon
Elan Networks
william at elan.net
More information about the dns-operations
mailing list