[116519] in North American Network Operators' Group


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: DNS hardening, was Re: Dan Kaminsky

daemon@ATHENA.MIT.EDU (Florian Weimer)
Thu Aug 6 03:11:54 2009

To: Douglas Otis <dotis@mail-abuse.org>
From: Florian Weimer <fweimer@bfk.de>
Date: Thu, 06 Aug 2009 07:11:35 +0000
In-Reply-To: <4A7A0D6C.90808@mail-abuse.org> (Douglas Otis's message of "Wed\,
	05 Aug 2009 15\:53\:32 -0700")
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org

* Douglas Otis:

> DNSSEC UDP will likely become problematic.  This might be due to
> reflected attacks,

SCTP does not stop reflective attacks at the DNS level.  To deal with
this issue, you need DNSSEC's denial of existence.  The DNSSEC specs
currently doesn't allow you to stop these attacks dead in your
resolver, but the data is already there.

--=20
Florian Weimer                <fweimer@bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstra=DFe 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[116519] in North American Network Operators' Group

Re: DNS hardening, was Re: Dan Kaminsky

daemon@ATHENA.MIT.EDU (Florian Weimer)Thu Aug 6 03:11:54 2009

daemon@ATHENA.MIT.EDU (Florian Weimer)
Thu Aug 6 03:11:54 2009