[dns-operations] Limiting DNSSEC-based amplification attacks

Niall O'Reilly Niall.oReilly at ucd.ie
Wed Jun 29 10:18:48 UTC 2011

On 28 Jun 2011, at 13:36, Gilles Massen wrote:

> <op hat off>
> And finally, on the longer term, I think it sends a wrong message,
> leaping to action: the perception of the event shifts from "network
> problem" to "DNS problem" because DNS is involved and could do
> something. The fact that non-BCP38 ISPs are the root cause, and that DNS
> is only the vector of the day gets obfuscated.

	And even with your op hat on, I think.

	Adding overhead to your operation in order to mitigate the
	effects of someone else's negligence not only subsidizes that
	negligence, but also leads to a situation in which any future
	disengagement will likely cause damage and bring blame on
	your operation.



More information about the dns-operations mailing list