drc at virtualized.org
Fri Apr 6 13:24:18 CDT 2012
On Apr 6, 2012, at 11:13 AM, Jimmy Hess wrote:
>> It turns out that DNSSEC makes a respectable traffic amplification vector:
> This is definitely a problem.
Yep. So are SNMP reflection attacks (biggest attack I've seen was one of these) and any other datagram-oriented query/response protocol.
> Unfortunately, what really should happen is DNSSEC should be revised, to,
> either make sure that the client initiating the query has to either do more
> work than the server, or make a round trip before the DNSSEC data can
> be requested.
Treating a symptom and ignoring the disease. See http://tools.ietf.org/html/bcp38
> One way of accomplishing that would be to indicate that DNSSEC data
> can be transmitted only over DNS when using TCP;
I suspect the root server operators might not like this idea very much.
More information about the NANOG