[dns-operations] How many kinds of DNS DoS attacks are we trying to stop ?

paul vixie paul at redbarn.org
Thu Sep 27 21:03:22 UTC 2012

On 9/27/2012 8:55 PM, bert hubert wrote:
> As engineers, we often forget that the perfect is the enemy of the
> good. This should not stop us from deploying the good. That was the
> only thing I wanted to add.  

thanks for clarifying. i agree. we already know how to beat DNS RRL but
i figure this is going to be an iterative arms race and that we have to
start somewhere. as we force the attackers to evolve, some will do so
better than others. that means in some rounds we will win. but only if
we enter this game at all.

noting, i'm still pissed off that economics make SAC004 impractical. the
network operators who are not doing and will not do source address
validation are shifting the costs to our dns servers. network operators
could far more easily stop this crap at the source, compared to us
cleaning it up at our end.


"I suspect I'm not known as a font of optimism." (VJS, 2012)

More information about the dns-operations mailing list