[dns-operations] DNS "security" and DDoS attacks

Florian Weimer fweimer at bfk.de
Mon Mar 29 16:53:05 UTC 2010


* Lutz Donnerhacke:

> * George Barwood wrote:
>> You cannot stop ALL attacks, but there is a class of attacks that can be stopped
>> with relatively low administrative cost which DNSSEC in it's present form does not address.
>
> DNSSEC *can* be used to filter out the correct answers from a set of
> received responses.

I think this claim heavily relies on the definition of "correct".  If
you define it not to cover name server names and their IP addresses,
you are right.  If you care where you packets go (and you should, for
a root server, until the whole tree is signed), this definition of
correctness is not very helpful.

-- 
Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99



More information about the dns-operations mailing list