[dns-operations] DNS "security" and DDoS attacks
Joe St Sauver
joe at oregon.uoregon.edu
Mon Mar 29 15:48:27 UTC 2010
DNSSEC does potentially have a role in preventing at least some
types of DDoS attacks -- consider, for example, sites that rely
on SPF (http://www.openspf.org/) or DKIM with ADSP (see
http://www.dkim.org/ ) as part of their email management strategy.
Because SPF and DKIM rely on DNS for distribution of SPF records
and DKIM/ADSP information, if I can inject arbitrary evil SPF
or DKIM/ADSP records, I can potentially cause a local application
layer denial of service attack, causing legitimate email traffic
to get negatively processed.
That's the sort of risk that I think will eventually drive DNSSEC
adoption for some pretty major players...
Regards,
Joe
More information about the dns-operations
mailing list