[dns-operations] on amplification, udp, and dns

Mark Andrews Mark_Andrews at isc.org
Thu Mar 23 20:32:14 UTC 2006

> * Edward Lewis wrote:
> > But if DNSSEC (a desirable thing to quite a few folks) gets to 
> > widespread deployment, then there will be many authoritative servers 
> > that will be available for amplification services.  What a dilemma, 
> > improving the security of DNS makes DNS a more valuable tool for DDoS.
> >
> > EDNS0 opens up the message size is needed for DNSSEC, IPv6 glue, and 
> > then NATPR record in ENUM.  But then again, this improvement 
> > facilitates amplification.
> >
> > This does not make me happy.
> I have no problem with it at all.

	I really read Ed's message as a warning to get BCP 38 almost
	universally deployed before we get wide spread use of DNSSEC
	/ ENUM or otherwise the problem will reappear with authoritative

		there is a small window in time before the problem space
	will shift.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the dns-operations mailing list