[dns-operations] DNS "security" and DDoS attacks
Bill Woodcock
woody at pch.net
Mon Mar 29 16:14:14 UTC 2010
On Mon, 29 Mar 2010, Lutz Donnerhacke wrote:
> DNSSEC *can* be used to filter out the correct answers from a set of
> received responses. Please do not address an implementation issue to be a
> protocol failure.
It's not a "protocol failure," it's just a limitation. DNSsec cannot be
used _by a router or firewall_ to distinguish between packets from a
trusted source, versus those that aren't, in the way that, say, IPsec
could. If you have to go all the way through the validation process, and
then you're left with an ambiguous result, DDoS will be very effective.
-Bill
More information about the dns-operations
mailing list