[dns-operations] DNS "security" and DDoS attacks

Bill Woodcock woody at pch.net
Mon Mar 29 16:14:14 UTC 2010


      On Mon, 29 Mar 2010, Lutz Donnerhacke wrote:
    > DNSSEC *can* be used to filter out the correct answers from a set of
    > received responses. Please do not address an implementation issue to be a
    > protocol failure.

It's not a "protocol failure," it's just a limitation.  DNSsec cannot be 
used _by a router or firewall_ to distinguish between packets from a 
trusted source, versus those that aren't, in the way that, say, IPsec 
could.  If you have to go all the way through the validation process, and 
then you're left with an ambiguous result, DDoS will be very effective.

                                -Bill




More information about the dns-operations mailing list