[dns-operations] root? we don't need no stinkin' root!

Viktor Dukhovni ietf-dane at dukhovni.org
Fri Nov 29 20:25:29 UTC 2019

On Fri, Nov 29, 2019 at 07:34:56PM +0000, Tony Finch wrote:

> Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> >
> > refection of answers to forged source IPs is not available with TCP
> Attackers can get a small amplification from SYN/ACK retries, and this is
> being used in the wild.
> https://www.darkreading.com/attacks-breaches/new-ddos-attacks-leverage-tcp-amplification-/d/d-id/1336339

Thanks for the link, appreciated.  Perhaps the answer is that a future root
zone retrieval service should be available only via QUIC with always-on address


This should also facilitate data integrity.


More information about the dns-operations mailing list