Possibly questionable security decisions in DNS root management
Florian Weimer
fweimer at bfk.de
Wed Oct 21 04:24:29 EDT 2009
* Victor Duchovni:
> The optimization is for DDoS conditions, especially amplification via
> forged source IP DNS requests for ". IN NS?". The request is tiny,
> and the response is multiple KB with DNSSEC.
There's only one required signature in a ". IN NS" response, so it
isn't as large as you suggest. (And the priming response is already
larger than 600 bytes due to IPv6 records.)
DNSKEY RRsets are more interesting. But in the end, this is not a DNS
problem, it's a lack of regulation of the IP layer.
--
Florian Weimer <fweimer at bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list