[dns-operations] are we adding value?

Paul Vixie paul at redbarn.org
Wed Jan 16 00:31:50 UTC 2013


yes, we are adding value.

George Michaelson wrote:
> ...
>
> I think sending a stronger message about uRPF type defences, and asking other people to look at spoof source is better.

i thought this in 2002. that's why i wrote
<http://archive.icann.org/en/committees/security/sac004.txt>. been
there, done that, traveled nearly 1M air miles and talked to everybody i
met on every stage i was on. total result: squat. we've been overwhelmed
by new "cloud" virtual servers running unpatched web apps. the bad guys
have more firepower than ever, and most virtual hosting providers can't
afford the manpower to either patch customer systems, handle complaints,
or block spoofed-source attack flows. (those that try are probably
bought out by those who don't, due to the difference in their profit
margins.)

so let me tell you from experience, what you're asking for is not better
than complexifying DNS. more below.

> Sometimes it pays to recognise you can't solve a problem, and look to who can. ...

we did that. see above. now we have to look to who actually will, or
would, among others who can. that translates to those whose real ip
addresses are revealed to victims. that means the amplifiers. we have
never gained ground on those whose real ip addresses are not revealed
during attacks, and we have for outside cause lost ground there. now we
have to do what can be done, which means finding someone who can act
whose identity is revealed and who can therefore hear complaints and who
can also act. i'd rather fix this at the source, but failing that, _and
we have in fact failed_, all we can do is fix the amplifiers.

> ...
> We're in a world where the goal is to answer questions, quickly and accurately. The fixes are beginning to look like major attacks on that fundamental.

i think we need to hold a world wide "kiss simplicity goodbye" festival.
because from now on all recursive name servers will have to be ACL'd,
and all authority name servers will have to be RRL'd. there's no going back.

paul




More information about the dns-operations mailing list