[106682] in North American Network Operators' Group
Re: maybe a dumb idea on how to fix the dns problems i don't know....
daemon@ATHENA.MIT.EDU (Joe Abley)
Sat Aug 9 18:16:11 2008
From: Joe Abley <jabley@ca.afilias.info>
To: Matt F <matt@credibleinstitution.org>
In-Reply-To: <489E15EC.2060801@credibleinstitution.org>
Date: Sat, 9 Aug 2008 18:15:56 -0400
Cc: nanog@merit.edu
Errors-To: nanog-bounces@nanog.org
On 9 Aug 2008, at 18:10, Matt F wrote:
> Why not just require TCP for a lookup if a response with an
> incorrect TXID is received? You could require TCP for just the one
> lookup or for some configured interval, say 1 hour. That should
> slow attackers down substantially.
That sounds like a good way for a remote attacker to make a resolver
disable UDP transport for a server, more or less at will. I'm not sure
I like the sound of that.
Joe
