[dns-operations] Kaminsky: Protect IP Act Would Break DNS

Florian Weimer fw at deneb.enyo.de
Sun Jul 17 11:18:37 UTC 2011


* Joe Greco:

> However, those solutions are much more fraught with peril.  When
> you start interfering with IP addresses, for example, even assuming
> you could inject a v4 /32, you may take down a whole slew of sites
> unrelated to what you are attempting to target.

This is not rocket science.  You route the /32 to the interception
device, and do whatever processing is necessary at the higher protocol
level.  It's probably sufficient if you match on a few characteristic
keywords/bit strings there.  Clean interception based on URIs (or
their application-specific equivalent) is difficult, but would
probably be required by law.

> Are your average authoritative servers actually stressed out by the
> level of traffic?

I think that most traffic to TLD servers is not related to name
resolution in the original sense anyway, so increased resolver traffic
would just recover lost ground there.



More information about the dns-operations mailing list