[dns-operations] .com/.net DNSSEC operational message

George Barwood george.barwood at blueyonder.co.uk
Sat Oct 30 07:11:16 UTC 2010


----- Original Message ----- 
From: "Cutler James R" <james.cutler at consultant.com>
To: "DNS-OARC DNS Operations" <dns-operations at mail.dns-oarc.net>
Sent: Saturday, October 30, 2010 3:01 AM
Subject: Re: [dns-operations] .com/.net DNSSEC operational message


> 
> On Oct 29, 2010, at 6:37 PM, George Barwood wrote:
> 
>> If the resolver validates the IP addresses of the root servers, the attack can be defeated.
> 
> Validation of an end point address for any communication or data exchange is orthogonal to validation of the communication itself.
> 
> How do I know that some BGP data has not been compromised so that my "validated" destination address is really a bad guy?

You don't. It stops one particular specific DoS/privacy attack, not every DoS/privacy attack.

To stop all  network level attacks needs link level encryption/authentication along the lines of

http://tools.ietf.org/html/draft-barwood-dnsext-dns-transport-18

My view is that the costs of setting up link level keys probably exceeds the value of any benefits.

My greater concern is limiting amplification attacks, which are a concrete threat.

Joe asked a question and I answered it. I'm not taking a position on whether root-servers.net should be signed.

George

> 
> James R. Cutler
> james.cutler at consultant.com
> 
> 
> 
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations


More information about the dns-operations mailing list