[dns-operations] A Case Against DNSSEC (A Matasano Miniseries)

[Paul Vixie]

> As I understand, DNS Shield does a good job at what it does, which is to
> protect the ability of some large recursive servers to do name lookups in
> Ultra-hosted zones (including the root now or at least soon, through the
> Ultra/F-Root agreement).

so far, so good.

> If it were possible to put such a cluster in front of every recursive server
> that needs to be able to do lookups on Ultra-hosted zones, it might be a big
> success.  But there are a lot of recursive DNS servers out there, a lot of
> which have not been the cause of any attacks.  Our job is to reliably serve
> all of them.

this is where i think you're missing the point.  the goal of the dns shield
project is to make attacks of this kind economically unattractive.  if a DDFH
can't affect AOL's (to pick an example) resolution success rate for a victim
online casino, then the value of DDFH as an extortion tool plummets, even if
quite a few smaller ISP's see that online casino as "offline" during attacks.
so the goal isn't to be universally reachable, or rather, that goal is being
met by massive overprovisioning.  the goal is to make attacks unsuccessful by
which i mean they won't make money for the extorters since they won't damage
the casinos enough to make them willing to pay.  under those conditions and
ONLY under those conditions, the attacks will stop.

> Am I missing something here?  Do 75% of the world's Internet users (to 
> take a number from another of Rodney's message) really use less than 30 
> recursive DNS servers?

that sounds about right.