[dns-operations] [Ext] dns-operationsdns-operationsMysteries of DNSSEC

Wes Hardaker wjhns1 at hardakers.net
Tue Apr 2 17:28:30 UTC 2024


Paul Hoffman <paul.hoffman at icann.org> writes:

> On Apr 2, 2024, at 08:42, Wes Hardaker <wjhns1 at hardakers.net> wrote:
> 
> > Do check/worry about DDoS reflections from UDP requests for DNSKEYs.
> 
> Why? Of what value is worrying about this? From what you and John
> says, it's pretty clear that you can't do anything effective to
> remediate whatever it is they are doing. Recent DDoS stats indicate
> that redirected DNS over UDP is no longer a significant source in
> real-world attacks.

DNS over UDP is no longer a significant source of threat *because*
operators have taken care to deploy technologies to limit
amplifications.  I could argue that your text above says it's time to
turn off RRL because it's no longer needed, but I don't think that's
actually what you're saying.  I'd argue without continuing to watch what
is happening in the real world we may not catch future issues with
amplification attacks.  RRL is actually somewhat defeatable in multiple
ways and we've been lucky that this hasn't been realized well.  

TL;DR: I, personally, would never want to say "this is never going to be
a problem again and no longer needs to be monitored."

-- 
Wes Hardaker
USC/ISI


More information about the dns-operations mailing list