[dns-operations] root? we don't need no stinkin' root!
Viktor Dukhovni
ietf-dane at dukhovni.org
Fri Nov 29 20:25:29 UTC 2019
On Fri, Nov 29, 2019 at 07:34:56PM +0000, Tony Finch wrote:
> Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> >
> > refection of answers to forged source IPs is not available with TCP
>
> Attackers can get a small amplification from SYN/ACK retries, and this is
> being used in the wild.
>
> https://www.darkreading.com/attacks-breaches/new-ddos-attacks-leverage-tcp-amplification-/d/d-id/1336339
Thanks for the link, appreciated. Perhaps the answer is that a future root
zone retrieval service should be available only via QUIC with always-on address
validation:
https://tools.ietf.org/html/draft-ietf-quic-transport-24#section-8.1.1
https://tools.ietf.org/html/draft-ietf-quic-transport-24#section-8.1
This should also facilitate data integrity.
--
Viktor.
More information about the dns-operations
mailing list