[dns-operations] responding to spoofed ANY queries

Paul Vixie paul at redbarn.org
Sun Jan 13 00:51:31 UTC 2013

Florian Weimer wrote:

>> The problem is amplification.
> No, the actual problem is source address spoofing.

in that having only amplification and not spoofing would mean there
would be no problem, this is true.

in that having only spoofing and not amplification would mean there
would be a smaller problem, it's less true.

in other words, a world without amplification would be almost as good as
a world without spoofing. moreover, a world with only attenuation would
be as good as a world without spoofing, because the victim would be hit
directly rather than through attenuators.

>> It can only be mitigated.
> The spoofing problem could be mitigated if we actually wanted to, and
> were willing to punish those who try to send their pollution to the
> rest of the network.

no. there is no "we" in this context. the lack of an adequate set of
shunners is no more notable than a lack of an adequate set of informed
voters or any other adequate set of things that can by definition only
be imagined, never real.

> We just need to admit that self-regulation by the industry has failed
> to address this matter adequately.

and having so admitted, what will we do next or do differently? industry
self regulation does not prevent shepherds from grazing their flocks in
the village commons. for that class of problem, the solution throughout
human history has been law. the internet is extra-legal because it is
extra-national. we know all this, and we've known it for decades. what
can be done in light of all this we know?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130112/3ff4ec47/attachment.html>

More information about the dns-operations mailing list