[dns-operations] Limiting DNSSEC-based amplification attacks
Niall.oReilly at ucd.ie
Wed Jun 29 10:18:48 UTC 2011
On 28 Jun 2011, at 13:36, Gilles Massen wrote:
> <op hat off>
> And finally, on the longer term, I think it sends a wrong message,
> leaping to action: the perception of the event shifts from "network
> problem" to "DNS problem" because DNS is involved and could do
> something. The fact that non-BCP38 ISPs are the root cause, and that DNS
> is only the vector of the day gets obfuscated.
And even with your op hat on, I think.
Adding overhead to your operation in order to mitigate the
effects of someone else's negligence not only subsidizes that
negligence, but also leads to a situation in which any future
disengagement will likely cause damage and bring blame on
More information about the dns-operations