[dns-operations] Is DNSSEC causing more problems than it solves.
Doug Barton
dougb at dougbarton.us
Tue Feb 23 18:23:52 UTC 2016
On 02/23/2016 09:49 AM, Nico CARTRON wrote:
> Doug,
>
>> On 23 Feb 2016, at 19:23, Doug Barton <dougb at dougbarton.email> wrote:
>>
>>> On 02/23/2016 08:35 AM, David C Lawrence wrote:
>>> Brett writes:
>>>> I was very glad to see that Kieran had at least included a link to the
>>>> ISC Article penned by Andrei which is I felt, a very good response to
>>>> the Akamai paper.
>>>
>>> For the record, please do note that the Akamai paper (with which I was
>>> not involved, incidentally) does not make value judgments about the
>>> desirability of DNSSEC in the whole.
>>
>> "This thing is horrible! And bad! And DANGEROUS!!!!" But we're not making value judgements about it? Seriously?
>
> Is it you reading between the lines, or you actually saw such as statement in Akamai's paper?
> Because I didn't see it.
The article talks about how the larger sizes of DNSSEC responses are
just perfect for amplification attacks, and takes great pains to note
that GOV domains are a favorite of hackers both due to their mandatory
DNSSEC requirement and because they cannot be filtered out by security
software.
Certainly Akamai is not foolish enough to come right out and say "DNSSEC
BAD!" But there is more than enough guilt by association to go around in
that paper, and do you really expect the average executive to understand
the subtleties involved? Or that DNSSEC plays a part in amplification
attacks, sure, but without it the attacks would still happen?
It's in Akamai's best interest to slow and/or halt the adoption of
DNSSEC. So painting it as a hacker tool promotes their interests. Or,
put another way, why publish this paper at all? There are a dozen good
resources that explain DNS amplification attacks already out there. What
purposes are served by Akamai publishing another one?
Doug
More information about the dns-operations
mailing list