[dns-operations] Side effects of enabling DNSSEC?

paul vixie paul at redbarn.org
Fri Aug 3 04:34:49 UTC 2012

On 8/3/2012 4:28 AM, Dobbins, Roland wrote:
> On Aug 3, 2012, at 10:07 AM, Mohamed Lrhazi wrote:
>> I guess I should ask the same question about side effects when there are no configuration mistakes at all :) 
> One unintended consequence of DNSSEC deployment is that it has made DNS reflection/amplification attacks even easier - rather than have to dork around looking for large TXT records or issuing ANY queries, the attack is guaranteed that he'll get at least a 1300-byte response for all spoofed the queries he issues to DNSSEC-capable DNS servers.

i believe the largest secure dns responses are negative. qname proof +
apex proof + wildcard proof. it's not about TXT and it never was about ANY.

More information about the dns-operations mailing list