[dns-operations] question for DNS being attacked
mgraff at isc.org
Thu Jun 28 19:50:58 UTC 2012
On Jun 28, 2012, at 2:35 PM, Paul Vixie wrote:
> On 6/28/2012 7:10 PM, Michael Graff wrote:
>> "BCP 38" Enough said.
> what does that mean?
It means that time and time again, either sufficient mass must implement a feature like this, or it is effectively pointless. It also means that the pain of installing such a security feature is on the side that does not feel the pain.
But, unlike BCP38 which would make a difference if enough ISPs implemented it, this is another form of an arms race against a well armed opponent. That said, the "slip" factor is clever, but I still worry about translating what would be a UDP timeout into a TCP query in addition to a filter that takes only 5 sequential packets to activate.
More information about the dns-operations