[dns-operations] Is DNSSEC causing more problems than it solves.

Doug Barton dougb at dougbarton.us
Tue Feb 23 18:23:52 UTC 2016

On 02/23/2016 09:49 AM, Nico CARTRON wrote:
> Doug,
>> On 23 Feb 2016, at 19:23, Doug Barton <dougb at dougbarton.email> wrote:
>>> On 02/23/2016 08:35 AM, David C Lawrence wrote:
>>> Brett writes:
>>>> I was very glad to see that Kieran had at least included a link to the
>>>> ISC Article penned by Andrei which is I felt, a very good response to
>>>> the Akamai paper.
>>> For the record, please do note that the Akamai paper (with which I was
>>> not involved, incidentally) does not make value judgments about the
>>> desirability of DNSSEC in the whole.
>> "This thing is horrible! And bad! And DANGEROUS!!!!" But we're not making value judgements about it? Seriously?
> Is it you reading between the lines, or you actually saw such as statement in Akamai's paper?
> Because I didn't see it.

The article talks about how the larger sizes of DNSSEC responses are 
just perfect for amplification attacks, and takes great pains to note 
that GOV domains are a favorite of hackers both due to their mandatory 
DNSSEC requirement and because they cannot be filtered out by security 

Certainly Akamai is not foolish enough to come right out and say "DNSSEC 
BAD!" But there is more than enough guilt by association to go around in 
that paper, and do you really expect the average executive to understand 
the subtleties involved? Or that DNSSEC plays a part in amplification 
attacks, sure, but without it the attacks would still happen?

It's in Akamai's best interest to slow and/or halt the adoption of 
DNSSEC. So painting it as a hacker tool promotes their interests. Or, 
put another way, why publish this paper at all? There are a dozen good 
resources that explain DNS amplification attacks already out there. What 
purposes are served by Akamai publishing another one?


More information about the dns-operations mailing list