[dns-operations] First experiments with DNS dampening to fight amplification attacks

Dobbins, Roland rdobbins at arbor.net
Fri Oct 26 12:22:20 UTC 2012

On Oct 26, 2012, at 6:04 PM, Shane Kerr wrote:

> Yeah, that's not the infrastructure we care about, since that is not spoofing source addresses on the public Internet.

The point is that the network infrastructure vendors will not invest a lot of time and resources, at least not given the current state of affairs, in trying to tie their network infrastructure gear into any kind of delegation certification PKI infrastructure, as most of the gear they sell isn't connected to the Internet and hasn't any way to connect to the putative delegation PKI system.

Another point is that, given the various controversies in the 'classic' DNS space with regards to various domain takedowns for reasons other than straightforward abuse, the benefits of such a system vs. its potential susceptibility to legislative and regulatory incursions isn't a settled issue (the same concerns apply in the routing space, as well as with regards to DNSSEC).

Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton

More information about the dns-operations mailing list