[dns-operations] "Poorly configured DNSSEC servers at root of DDoS attacks"
Nico CARTRON
nicolas at ncartron.org
Fri Sep 2 13:13:06 UTC 2016
On 2 September 2016 at 15:08:26, Daniel Kalchev (daniel at digsys.bg) wrote:
> On 2.09.2016 г., at 15:38, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
>
> On Fri, Sep 02, 2016 at 01:33:08PM +0100,
> Tony Finch <dot at dotat.at> wrote
> a message of 33 lines which said:
>
>> Dropping responses is likely to cause problems with legitimate ANY
>> queries.
>
> And it may help poisoning attacks (the spoofer no longer has a race
> with the real server).
Which is why people go to the trouble of deploying DNSSEC.
Sounds like a dog chasing its own tail, isn’t it? ;)
Cheers,
--
Nico
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160902/f10ea9d2/attachment.html>
More information about the dns-operations
mailing list