[144979] in cryptography@c2.net mail archive
Re: Possibly questionable security decisions in DNS root management
daemon@ATHENA.MIT.EDU (Florian Weimer)
Thu Oct 22 10:06:21 2009
To: cryptography@metzdowd.com
From: Florian Weimer <fweimer@bfk.de>
Date: Wed, 21 Oct 2009 08:24:29 +0000
In-Reply-To: <20091019162441.GX15863@np305c2n2.ms.com> (Victor Duchovni's message of "Mon\, 19 Oct 2009 12\:24\:41 -0400")
* Victor Duchovni:
> The optimization is for DDoS conditions, especially amplification via
> forged source IP DNS requests for ". IN NS?". The request is tiny,
> and the response is multiple KB with DNSSEC.
There's only one required signature in a ". IN NS" response, so it
isn't as large as you suggest. (And the priming response is already
larger than 600 bytes due to IPv6 records.)
DNSKEY RRsets are more interesting. But in the end, this is not a DNS
problem, it's a lack of regulation of the IP layer.
--=20
Florian Weimer <fweimer@bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstra=DFe 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
