[dns-operations] DNS "security" and DDoS attacks

Joe St Sauver joe at oregon.uoregon.edu
Mon Mar 29 15:48:27 UTC 2010

DNSSEC does potentially have a role in preventing at least some 
types of DDoS attacks -- consider, for example, sites that rely 
on SPF (http://www.openspf.org/) or DKIM with ADSP (see
http://www.dkim.org/ ) as part of their email management strategy. 

Because SPF and DKIM rely on DNS for distribution of SPF records 
and DKIM/ADSP information, if I can inject arbitrary evil SPF 
or DKIM/ADSP records, I can potentially cause a local application
layer denial of service attack, causing legitimate email traffic
to get negatively processed.

That's the sort of risk that I think will eventually drive DNSSEC
adoption for some pretty major players...



More information about the dns-operations mailing list