[dns-operations] How Stack Overflow plans to survive the next DNS attack
Paul Vixie
vixie at tisf.net
Wed Jan 11 20:37:57 UTC 2017
On Wednesday, January 11, 2017 9:35:20 AM PST Andrew Sullivan wrote:
> ..., and quite apart from the other issues you noted, NOTIFY can get
> lost, and NOTIFY does not actually provide a confirmation that it was
> received or that the subsequent transaction happened. So NOTIFY is
> not a push, it's a "please pull" request. The difference is subtle,
> but in an environment where people are using 30s TTLs in an effort to
> steer traffic the difference may be important. (That IXFR-only never
> got standardized is another problem for the same class of people.)
NOTIFY was defined that way because folks wanted it to be able to work over UDP, and we knew that UDP source addresses could be spoofed. thus it's very lightweight and there is no value at all to an attacker who spoofs a NOTIFY.
if something heavier-weight is now needed, then i suggest it be defined as an internet standard, so that the entire authority dns market can benefit from the resulting lack of lock-in.
--
P. Vixie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20170111/dd3156c9/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: .vcf
Type: text/vcard
Size: 268 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20170111/dd3156c9/attachment-0001.vcf>
More information about the dns-operations
mailing list