[dns-operations] about anti-ddos DNS hostings
Edward Lewis
edward.lewis at icann.org
Wed Jun 17 10:51:29 UTC 2015
On 6/16/15, 16:13, "Florian Weimer" <fw at deneb.enyo.de> wrote:
>* Edward Lewis:
>
>> It's not just a matter of the rich getting richer and the poor getting
>> poorer, it's a matter rooted in a technical fault in the architecture of
>> the system.
>
>It's not a technical fault. There's little liability for forwarding
>packets with forged source addresses, or designing networks with that
>flaw built into them. There's no technical solution to that. You
>can't stop pollution by creating better filters because there is
>always an incentive not to filter your waste at all.
My point of view is that the approach of security additions over the past
decades has exacerbated the problem rather than alleviated it. Practical
solutions to security start with ensuring the usefulness of the system is
paramount - availability increased via the reduction in abuse. Our
approaches haven't met that principle.
DNS knows that UDP is unsafe. Yet DNS relies on it. Pointing fingers at
UDP is like sticking your head in the sand and ignoring the problem.
There's been no approach that has gained consensus enough to even begin
talking about deployment incentives.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4604 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150617/72ec322e/attachment.bin>
More information about the dns-operations
mailing list