[dns-operations] A Case Against DNSSEC (A Matasano Miniseries)

Rodney Joffe rjoffe at centergate.com
Tue Apr 3 20:32:09 UTC 2007


On Apr 3, 2007, at 11:51 AM, Matt Larson wrote:

> On Tue, 03 Apr 2007, Rodney Joffe wrote:
>> I remain (October 2002) convinced that no matter what "solution[s]"
>> we end up with, we'll *have* to include a control plane, in some form
>> or another.
>
> Could you please give an example of what you mean by DNS control plane
> information?

Answered previously.
>
> When you proposed this idea in late 2002, Rodney, I recall that it was
> in response to the October, 2002 DDoS attacks and involved creating a
> VPN of sorts to ensure that participants in the scheme always got
> their queries answered by using dedicated paths to your (and other
> providers') infrastructure.  That sounds like creating multiple
> classes of service, not a control plane.
>
> VeriSign's DDoS mitigation strategy was and remains to spend the money
> and devote the engineering necessary to over provision to handle what
> comes at us.

Matt, as I described in 2002, and since then repeatedly, scale cannot  
solve this problem. The protocol doesn't allow this, and *no-one*  
(proven by Akamai in 2004) has enough resources, systems and  
bandwidth, to cope with the bandwidth saturation that UDP enables.  
I'm happy to prove it again.

So the only way around is is the use of an alternative plane. DNS  
Shield is one instantiation. I am sure there are others. But spending  
time, money and engineering to over provision has no possibility of  
succeeding. The attackers have access to more resources than *any* of  
us, because they use *our* bandwidth. the collective "our".

Rodney

PS if you have discovered the elixir of life in our world, it would  
be great if you shared it. It is important to all of us to be able to  
solve this problem. :-)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2425 bytes
Desc: not available
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20070403/75fadb16/attachment.bin>


More information about the dns-operations mailing list