[dns-operations] Storm on the DNS

Patrik Fältström paf at frobbit.se
Wed Dec 16 05:22:32 UTC 2015


On 16 Dec 2015, at 4:51, Dave Warren wrote:

> Plus, if we're going to replace something as fundamental as DNS in any major way, BCP38 will cause a lot less pain overall and might well kick the replace-DNS can far enough down the road while mostly solving the current DDoS capabilities.

BCP48 / SAC-004 is what is needed. The kick down the road is a pretty hard kick.

The ability to have a stateless protocol for lookups is pretty nice.

And "stateless communication on top of TCP" which HTTP does is not optimal either. And no, HTTP/2 is not really what we need either as it has many weaknesses.

Beep was doing the right thing, and HTTP/3 might be where we need to go.

Anyway, my point is that I completely agree with Dave here. If we could at last get some better control over the IP addresses, we would be in a better situation. And given the depletion of IPv4 space when people started to use each others IP addresses, the situation will not be better, but worse, pretty quickly.

As a defence during an attack I envision sooner than I expected blocking IPv4 be one mechanism that simply must be deployed.

   Patrik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: OpenPGP digital signature
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20151216/cb475445/attachment.sig>


More information about the dns-operations mailing list