[dns-operations] DNS "security" and DDoS attacks
bert hubert
bert.hubert at netherlabs.nl
Mon Mar 29 17:01:36 UTC 2010
On Mon, Mar 29, 2010 at 04:53:05PM +0000, Florian Weimer wrote:
> I think this claim heavily relies on the definition of "correct". If
> you define it not to cover name server names and their IP addresses,
> you are right. If you care where you packets go (and you should, for
> a root server, until the whole tree is signed), this definition of
> correctness is not very helpful.
Indeed - unless validating resolvers become a lot smarter, and gain the
ability to reject bad delegations from memory that appear to lead to bogus
results, and requery.
Otherwise DNSSEC in this case would simply have turned a denial of service
into a denial of service.
The first because of a non-working IP address, the second because data that
ends up as a SERVFAIL at the client computer.
Bert
More information about the dns-operations
mailing list