[dns-operations] A Case Against DNSSEC (A Matasano Miniseries)

Matt Larson mlarson at verisign.com
Wed Apr 4 14:45:35 UTC 2007

On Tue, 03 Apr 2007, Rodney Joffe wrote:
> Matt, as I described in 2002, and since then repeatedly, scale cannot  
> solve this problem. The protocol doesn't allow this, and *no-one*  
> (proven by Akamai in 2004) has enough resources, systems and  
> bandwidth, to cope with the bandwidth saturation that UDP enables.  
> I'm happy to prove it again.

I'm not claiming scale can "solve" the problem, but it'll go a long
way: the more capacity you have, the more attacks you can weather.  Of
course, you also need good relations with peers and upstreams so you
can get filters put in place (when the attackers are idiots and the
attack traffic is easily filtered) and you need sophisticated
filtering in your own infrastructure, too.  We can all imagine a
doomsday scenario that none of us can survive, but that doesn't excuse
a responsible provider from provisioning the hell out their
infrastructure to survive the survivable attacks.  If live on the
coast, there's always the possibility that a Category 5 hurricane will
come along and sweep away your house, but that doesn't mean you should
just build a mud hut, whistle and hope for the best.


More information about the dns-operations mailing list