[dns-operations] How Stack Overflow plans to survive the next DNS attack
Andrew Sullivan
ajs at anvilwalrusden.com
Wed Jan 11 20:53:16 UTC 2017
On Wed, Jan 11, 2017 at 12:37:57PM -0800, Paul Vixie wrote:
> NOTIFY was defined that way because folks wanted it to be able to
> work over UDP, and we knew that UDP source addresses could be
> spoofed. thus it's very lightweight and there is no value at all to
> an attacker who spoofs a NOTIFY.
I'm not complaining about the design. Just noting the facts about it.
> if something heavier-weight is now needed, then i suggest it be
> defined as an internet standard, so that the entire authority dns
> market can benefit from the resulting lack of lock-in.
This would require interest on the part of those offering the
service(s) to create such a standard. However I personally feel about
this (I'll leave such conclusions to others), I have not yet detected
a clamour of demand either from the provider or consumer side to make
this standard.
Best regards,
A
--
Andrew Sullivan
ajs at anvilwalrusden.com
More information about the dns-operations
mailing list