[dns-operations] Scott Doty: The DDOS problem & security BOF: Am i mistaken?

Peter Dambier peter at peter-dambier.de
Thu Oct 16 18:55:29 UTC 2008

Florian Weimer wrote:
> * Paul Vixie:
>> the nanog moderators have ended this thread & recommended it be sent
>> here.
> If the answer to certain DNS issues is "more authoritatives" (I'm
> assuming that's what Scott is alluding to), we should define an AXFR
> record which contains a URL for a replica of the zone (or maybe just an
> address, but then you can't use https://).
> Interested resolver operators could then keep a copy of the most
> important zones (based on actual usage on this resolver).  Not using NS
> records means that there is clear opt-in from the zone operator, and the
> TCP stuff could be factored out of the critical path.  It could also be
> made clear that to zone operators changing AXFR records (and referenced
> instructure) is costly because it will trigger extensive verification
> from resolvers.

This sounds interresting to me.

I am interested in DNS for spies and journalists.

As a spy I dont want my queries to be seen in a resolver log.

As a journalist I want my answers from a nameserver for adults and
not from a nameserver for children.

So https would be great, http would be better than nought.

If I could cut and paste my DNS together, I would be immune
against all kinds of poisoning and phishing (almost).

> On the other hand, I'm not sure if this is really the right approach.
> For example, SSH-style leap-of-faith DLV seems more attractive to me.

Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Rimbacher Strasse 16
D-69509 Moerlenbach-Bonsweiher
+49(6209)795-816 (Telekom)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de

More information about the dns-operations mailing list