[dns-operations] Amplification attack today ?

Paul Vixie paul at vix.com
Tue Mar 6 15:34:38 UTC 2007


> > ... in that light, i'd like to see them closed down unless they are
> > tightly managed and monitored and open-on-purpose (like opendns).
> 
> DNSSEC is (even used in correct configuration) a great amplification tool
> for attack.

plz demonstrate or explain.

> Will you stop it, too? What happens, if your Blackhole list is mismanaged
> and some "supposed open" DNS servers are blocked by the root servers? I
> suspect the liabilty question is hard.

no rootop will ever subscribe to a blackhole list.  or at least i would not.

> OTOH I have not time and no money to sue an unknown fanatic blackhole list
> maintainer. I'd prefer the Internet way and switch to other services i.e.
> other root servers. I will not be alone.

i think we're well off track.


More information about the dns-operations mailing list