paul at vix.com
Wed Mar 1 05:56:01 UTC 2006
# That doesn't make me feel whole lot better ... (in fact this confirms my
# worst fears about how easy it is to abuse simple UDP query/response
# protocols like DNS)
i think i left a sentence out of SAC004 (which is the PHB version of BCP38).
basically i forgot to say "listen up, folks, if we don't deploy BCP38, then
the lack of source address repudiability will become a cancerous, pervasive
scaling limit to the size of the internet community and industry, and a
barrier to the success of new applications, and it will be the calcified
arterial walls that lead the internet into premature old age." sorry about
that. (the url again is http://www.icann.org/committees/security/sac004.txt).
# So obvious next question is what does internet operational and/or
# engineering folks plan to do so as to prevent amplification attack
# abuse of DNSSEC servers when these do get deployed?
what SHOULD we do? universally deploy BCP38, using regulation as required.
what WILL we do? probably nothing. let it happen and live with the results.
what do folks PLAN to do? that's an answer i'd also like to hear.
More information about the dns-operations