[dns-operations] .com/.net DNSSEC operational message
George Barwood
george.barwood at blueyonder.co.uk
Sat Oct 30 07:11:16 UTC 2010
----- Original Message -----
From: "Cutler James R" <james.cutler at consultant.com>
To: "DNS-OARC DNS Operations" <dns-operations at mail.dns-oarc.net>
Sent: Saturday, October 30, 2010 3:01 AM
Subject: Re: [dns-operations] .com/.net DNSSEC operational message
>
> On Oct 29, 2010, at 6:37 PM, George Barwood wrote:
>
>> If the resolver validates the IP addresses of the root servers, the attack can be defeated.
>
> Validation of an end point address for any communication or data exchange is orthogonal to validation of the communication itself.
>
> How do I know that some BGP data has not been compromised so that my "validated" destination address is really a bad guy?
You don't. It stops one particular specific DoS/privacy attack, not every DoS/privacy attack.
To stop all network level attacks needs link level encryption/authentication along the lines of
http://tools.ietf.org/html/draft-barwood-dnsext-dns-transport-18
My view is that the costs of setting up link level keys probably exceeds the value of any benefits.
My greater concern is limiting amplification attacks, which are a concrete threat.
Joe asked a question and I answered it. I'm not taking a position on whether root-servers.net should be signed.
George
>
> James R. Cutler
> james.cutler at consultant.com
>
>
>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
More information about the dns-operations
mailing list