[151970] in North American Network Operators' Group
Re: DNS noise
daemon@ATHENA.MIT.EDU (David Conrad)
Fri Apr 6 14:24:58 2012
From: David Conrad <drc@virtualized.org>
In-Reply-To: <CAAAwwbUvs0u8t7JWvM=4j2nTkXzzFKfCifK=q=PaZCpEY=EtXQ@mail.gmail.com>
Date: Fri, 6 Apr 2012 11:24:18 -0700
To: Jimmy Hess <mysidia@gmail.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Apr 6, 2012, at 11:13 AM, Jimmy Hess wrote:
>> It turns out that DNSSEC makes a respectable traffic amplification =
vector:
> This is definitely a problem.
Yep. So are SNMP reflection attacks (biggest attack I've seen was one =
of these) and any other datagram-oriented query/response protocol.
> Unfortunately, what really should happen is DNSSEC should be revised, =
to,
> either make sure that the client initiating the query has to either do =
more
> work than the server, or make a round trip before the DNSSEC data can
> be requested.
Treating a symptom and ignoring the disease. See =
http://tools.ietf.org/html/bcp38
> One way of accomplishing that would be to indicate that DNSSEC data
> can be transmitted only over DNS when using TCP; =20
I suspect the root server operators might not like this idea very much.
Regards,
-drc
