[dns-operations] EDNS0

william(at)elan.net william at elan.net
Wed Mar 1 05:39:48 UTC 2006

On Wed, 1 Mar 2006, Mark Andrews wrote:

> 	As DNSSEC is deployed finding a 3+k authoritative response
> 	will be about as easy as finding a 500 byte response is
> 	today.  You will be able to do the attack w/o needing the
> 	recursive servers.

That doesn't make me feel whole lot better ... (in fact this confirms 
my worst fears about how easy it is to abuse simple UDP query/response 
protocols like DNS)

So obvious next question is what does internet operational and/or
engineering folks plan to do so as to prevent amplification attack
abuse of DNSSEC servers when these do get deployed?

William Leibzon
Elan Networks
william at elan.net

More information about the dns-operations mailing list