[dns-operations] DNSbomb attack

Paul Vixie paul at redbarn.org
Tue May 28 09:56:16 UTC 2024


This attack was predicted by DNS RRL in 2012 and as such is not novel. All full resolvers should make RRL the default, as BIND9 seems to have done. 


https://circleid.com/posts/20130913_on_the_time_value_of_security_features_in_dns 


I am in full support of ISC's position on this. 


p vixie 


On May 28, 2024 09:10, Ondřej Surý <ondrej at sury.org> wrote:

Stephane,

I must say that I am disappointed by the narrative that you are creating here: “this is good reading, but ISC disagrees”.

We actually think the proposed attack is very clever way how to abuse the way modern resolvers work. Our argument is that the existing (default) BIND 9 settings already mitigates the attack to a level that’s just enough. And that’s described in length in the mentioned blogpost by Nicki.

I don’t know why are you trying to create rift where there’s really none.

Ondřej
--
Ondřej Surý (He/Him)

> On 27. 5. 2024, at 17:12, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> 
> The paper is good reading:
> 
> https://dnsbomb.net/
> 
> ISC disagrees:
> 
> https://www.isc.org/blogs/2024-dnsbomb/
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

_______________________________________________
dns-operations mailing list
dns-operations at lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20240528/57dc683a/attachment.html>


More information about the dns-operations mailing list