nanog mailing list archives
Re: DNS noise
From: David Conrad <drc () virtualized org>
Date: Fri, 6 Apr 2012 11:24:18 -0700
On Apr 6, 2012, at 11:13 AM, Jimmy Hess wrote:
It turns out that DNSSEC makes a respectable traffic amplification vector:This is definitely a problem.
Yep. So are SNMP reflection attacks (biggest attack I've seen was one of these) and any other datagram-oriented query/response protocol.
Unfortunately, what really should happen is DNSSEC should be revised, to, either make sure that the client initiating the query has to either do more work than the server, or make a round trip before the DNSSEC data can be requested.
Treating a symptom and ignoring the disease. See http://tools.ietf.org/html/bcp38
One way of accomplishing that would be to indicate that DNSSEC data can be transmitted only over DNS when using TCP;
I suspect the root server operators might not like this idea very much. Regards, -drc
Current thread:
- DNS noise Nathan Eisenberg (Apr 06)
- Re: DNS noise Keegan Holley (Apr 06)
- Re: DNS noise Michael Sinatra (Apr 06)
- Re: DNS noise PC (Apr 06)
- Re: DNS noise Jimmy Hess (Apr 06)
- Re: DNS noise Nick Hilliard (Apr 06)
- Re: DNS noise Jimmy Hess (Apr 06)
- Re: DNS noise David Conrad (Apr 06)
- Re: DNS noise Jimmy Hess (Apr 06)
- Re: DNS noise David Conrad (Apr 06)
- Re: DNS noise Jared Mauch (Apr 06)
- Re: DNS noise Jimmy Hess (Apr 06)
- Re: DNS noise Keegan Holley (Apr 06)
- <Possible follow-ups>
- Re: DNS noise Joe St Sauver (Apr 06)