[168253] in North American Network Operators' Group
Re: "trivial" changes to DNS (was: OpenNTPProject.org)
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Thu Jan 16 11:49:39 2014
In-Reply-To: <20140116163945.GU22344@dyn.com>
Date: Thu, 16 Jan 2014 11:48:56 -0500
From: Christopher Morrow <morrowc.lists@gmail.com>
To: Andrew Sullivan <asullivan@dyn.com>
Cc: nanog list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Thu, Jan 16, 2014 at 11:39 AM, Andrew Sullivan <asullivan@dyn.com> wrote:
> On Thu, Jan 16, 2014 at 11:32:05AM -0500, Christopher Morrow wrote:
>
>> pretty easy to believe that quic would be helpful right?
>
> Yes. It's also pretty easy to believe that ditching DNS completely in
> favour of something without 8 billion warts would be helpful.
>
>> seems totally feasible.
>
> Certainly, it would be possible to standardize it. Whether it would
> be "trivial" to get it deployed is quite a different matter. The
> evidence to date is that there is a very, very long tail in any change
> having to do with the DNS. We are still, to this day, fighting with
> sysadmins who are convinced that firewall rules on TCP/53 are
> perfectly reasonable, even though DNS _always_ used TCP.
>
> People who believe there are going to be easy fixes to the issues
> coming from DNS are deluding themselves.
I totally agree... I was actually joking in my last note :( sorry for
not adding the ":)" as requisite in email.
So... what other options are there to solve the larger problem of:
"Some service is running on a public host, and it can be used to
attack a third party"
where in all of these cases the third party is someone who's address
has been spoofed in the src-address of a packet.
-chris
