[dns-operations] DNS "security" and DDoS attacks

bert hubert bert.hubert at netherlabs.nl
Mon Mar 29 17:01:36 UTC 2010


On Mon, Mar 29, 2010 at 04:53:05PM +0000, Florian Weimer wrote:
> I think this claim heavily relies on the definition of "correct".  If
> you define it not to cover name server names and their IP addresses,
> you are right.  If you care where you packets go (and you should, for
> a root server, until the whole tree is signed), this definition of
> correctness is not very helpful.

Indeed - unless validating resolvers become a lot smarter, and gain the
ability to reject bad delegations from memory that appear to lead to bogus
results, and requery. 

Otherwise DNSSEC in this case would simply have turned a denial of service
into a denial of service. 

The first because of a non-working IP address, the second because data that
ends up as a SERVFAIL at the client computer.

	Bert




More information about the dns-operations mailing list