[dns-operations] on amplification, udp, and dns
Mark Andrews
Mark_Andrews at isc.org
Thu Mar 23 20:32:14 UTC 2006
> * Edward Lewis wrote:
> > But if DNSSEC (a desirable thing to quite a few folks) gets to
> > widespread deployment, then there will be many authoritative servers
> > that will be available for amplification services. What a dilemma,
> > improving the security of DNS makes DNS a more valuable tool for DDoS.
> >
> > EDNS0 opens up the message size is needed for DNSSEC, IPv6 glue, and
> > then NATPR record in ENUM. But then again, this improvement
> > facilitates amplification.
> >
> > This does not make me happy.
>
> I have no problem with it at all.
I really read Ed's message as a warning to get BCP 38 almost
universally deployed before we get wide spread use of DNSSEC
/ ENUM or otherwise the problem will reappear with authoritative
servers.
i.e.
there is a small window in time before the problem space
will shift.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the dns-operations
mailing list