[dns-operations] How Stack Overflow plans to survive the next DNS attack

Andrew Sullivan ajs at anvilwalrusden.com
Wed Jan 11 20:53:16 UTC 2017

On Wed, Jan 11, 2017 at 12:37:57PM -0800, Paul Vixie wrote:
> NOTIFY was defined that way because folks wanted it to be able to
> work over UDP, and we knew that UDP source addresses could be
> spoofed. thus it's very lightweight and there is no value at all to
> an attacker who spoofs a NOTIFY.

I'm not complaining about the design.  Just noting the facts about it.

> if something heavier-weight is now needed, then i suggest it be
> defined as an internet standard, so that the entire authority dns
> market can benefit from the resulting lack of lock-in.

This would require interest on the part of those offering the
service(s) to create such a standard.  However I personally feel about
this (I'll leave such conclusions to others), I have not yet detected
a clamour of demand either from the provider or consumer side to make
this standard.

Best regards,


Andrew Sullivan
ajs at anvilwalrusden.com

More information about the dns-operations mailing list