[dns-operations] question for DNS being attacked

Michael Graff mgraff at isc.org
Thu Jun 28 19:50:58 UTC 2012

On Jun 28, 2012, at 2:35 PM, Paul Vixie wrote:

> On 6/28/2012 7:10 PM, Michael Graff wrote:
>> "BCP 38"  Enough said.
> what does that mean?

It means that time and time again, either sufficient mass must implement a feature like this, or it is effectively pointless.  It also means that the pain of installing such a security feature is on the side that does not feel the pain.

But, unlike BCP38 which would make a difference if enough ISPs implemented it, this is another form of an arms race against a well armed opponent.  That said, the "slip" factor is clever, but I still worry about translating what would be a UDP timeout into a TCP query in addition to a filter that takes only 5 sequential packets to activate.


More information about the dns-operations mailing list