[dns-operations] we may finally have a dnssec use case ; -) Re: Odd behaviour of DNS queries in PRC (facebook, youtube & twitter)
George Barwood
george.barwood at blueyonder.co.uk
Mon Mar 29 07:07:18 UTC 2010
----- Original Message -----
From: "bert hubert" <bert.hubert at netherlabs.nl>
To: "Mauricio Vergara Ereche" <mave at nic.cl>
Cc: <dns-operations at lists.dns-oarc.net>
Sent: Thursday, March 25, 2010 8:54 PM
Subject: [dns-operations] we may finally have a dnssec use case ; -) Re: Odd behaviour of DNS queries in PRC (facebook, youtube & twitter)
> On Thu, Mar 25, 2010 at 11:36:30AM -0300, Mauricio Vergara Ereche wrote:
>> <hat "personal">
>> I second Stephane and previous Bert's opinion.
>
> Given the nature of why this is happening, this is one of the first usecases
> I see for DNSSEC that actually is worth the administrative overhead.
I don't think DNSSEC stops this attack. It is (I think) a selective Denial of Service attack.
The way to prevent attacks like this is to encrypt and authenticate packets, e.g.
http://tools.ietf.org/html/draft-barwood-dnsext-dns-transport
I share your reservations about the administrative overhead and complexity of DNSSEC.
Link-level protection ( as in the link above) allows a large number of domains that share
the same name servers to be secured with a single administrative action.
George
> Preventing Kaminsky spoofing, which appears not to be happening anyhow, is
> not that exciting, and may not be worth the effort.
>
> But preventing nation states from *globally* changing DNS traffic (even if
> only by accident), far beyond their shores, might be a great idea.
>
> Especially since there is little alternative except to stop doing anycast
> root root-server, or everyone downloading a copy of the root zone (or both).
>
> Bert
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
More information about the dns-operations
mailing list