Possibly questionable security decisions in DNS root management

Florian Weimer fweimer at bfk.de
Wed Oct 21 04:24:29 EDT 2009

* Victor Duchovni:
> The optimization is for DDoS conditions, especially amplification via
> forged source IP DNS requests for ". IN NS?". The request is tiny,
> and the response is multiple KB with DNSSEC.

There's only one required signature in a ". IN NS" response, so it
isn't as large as you suggest.  (And the priming response is already
larger than 600 bytes due to IPv6 records.)

DNSKEY RRsets are more interesting.  But in the end, this is not a DNS
problem, it's a lack of regulation of the IP layer.

Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list