[dns-operations] DNS deluge for x.p.ctrc.cc
andrew at ca.afilias.info
Fri Mar 3 20:31:31 UTC 2006
On Fri, Mar 03, 2006 at 07:37:56PM +0000, Paul Vixie wrote:
> should root and TLD nameserver operators choose to be available to all parties
> or should they choose to be available while they are attacked? your answer
> only has to cover the time between today and universal BCP38 deployment.
The trouble I now have with your question is that my answer depends
very much on the answers to these questions:
1. Is there a value, approaching but short of "universal"
deployment, where there are few enough potential spoofing machines
that no-BCP38 in those networks doesn't matter that much? (I suspect
the answer is yes, but it might be so small as not to matter.)
2. What is the chance that an equivalently bad attack can be
accomplished without using recursing nameservers, and how soon would
that attack be available? (I think the answer to the first half of
this is "1". The only open question is the second half.)
3. Are there measures we could take that would affect
(significantly) the number of BCP 38 implementations, and how long
would they take to be effective?
If the answer to (3), for instance, were, "Yes, and 3 months", I bet
we would all say that we should concentrate on that instead. Now,
I've in fact heard some pessimistic estimates about that question
from you. From those that are arguing BCP 38's the real goal, I'd
like to hear suggestions on how to achieve it.
Andrew Sullivan 204-4141 Yonge Street
Afilias Canada Toronto, Ontario Canada
<andrew at ca.afilias.info> M2P 2A8
+1 416 646 3304 x4110
More information about the dns-operations