nanog mailing list archives

Re: DNS noise

From: David Conrad <drc () virtualized org>
Date: Fri, 6 Apr 2012 11:24:18 -0700

On Apr 6, 2012, at 11:13 AM, Jimmy Hess wrote:

It turns out that DNSSEC makes a respectable traffic amplification vector:

This is definitely a problem.


Yep.  So are SNMP reflection attacks (biggest attack I've seen was one of these) and any other datagram-oriented 
query/response protocol.

Unfortunately, what really should happen is DNSSEC should be revised, to,
either make sure that the client initiating the query has to either do more
work than the server, or make a round trip before the DNSSEC data can
be requested.


Treating a symptom and ignoring the disease. See http://tools.ietf.org/html/bcp38

One way of accomplishing that would be to indicate that DNSSEC data
can be transmitted only over DNS when using TCP;


I suspect the root server operators might not like this idea very much.

Regards,
-drc

Current thread:

DNS noise Nathan Eisenberg (Apr 06)
- Re: DNS noise Keegan Holley (Apr 06)
  - Re: DNS noise Michael Sinatra (Apr 06)
  - Re: DNS noise PC (Apr 06)
    - Re: DNS noise Jimmy Hess (Apr 06)
- Re: DNS noise Nick Hilliard (Apr 06)
  - Re: DNS noise Jimmy Hess (Apr 06)
    - Re: DNS noise David Conrad (Apr 06)
    - Re: DNS noise Jimmy Hess (Apr 06)
    - Re: DNS noise David Conrad (Apr 06)
    - Re: DNS noise Jared Mauch (Apr 06)
- <Possible follow-ups>
- Re: DNS noise Joe St Sauver (Apr 06)