[dns-operations] Scott Doty: The DDOS problem & security BOF: Am i mistaken?
peter at peter-dambier.de
Thu Oct 16 18:55:29 UTC 2008
Florian Weimer wrote:
> * Paul Vixie:
>> the nanog moderators have ended this thread & recommended it be sent
> If the answer to certain DNS issues is "more authoritatives" (I'm
> assuming that's what Scott is alluding to), we should define an AXFR
> record which contains a URL for a replica of the zone (or maybe just an
> address, but then you can't use https://).
> Interested resolver operators could then keep a copy of the most
> important zones (based on actual usage on this resolver). Not using NS
> records means that there is clear opt-in from the zone operator, and the
> TCP stuff could be factored out of the critical path. It could also be
> made clear that to zone operators changing AXFR records (and referenced
> instructure) is costly because it will trigger extensive verification
> from resolvers.
This sounds interresting to me.
I am interested in DNS for spies and journalists.
As a spy I dont want my queries to be seen in a resolver log.
As a journalist I want my answers from a nameserver for adults and
not from a nameserver for children.
So https would be great, http would be better than nought.
If I could cut and paste my DNS together, I would be immune
against all kinds of poisoning and phishing (almost).
> On the other hand, I'm not sure if this is really the right approach.
> For example, SSH-style leap-of-faith DLV seems more attractive to me.
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Rimbacher Strasse 16
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de
More information about the dns-operations