On 06/13/2013 06:31 AM, Ronald F. Guilmette wrote:
1) If everyone on the planet were to somehow magically and immediately be converted over to DNSSEC tomorrow, then would DNS amplification attacks become a thing of the past, starting tomorrow? Does DNSSEC "solve" the DNS amplification attack problem? Or does it have no direct bearing on
No, quite the opposite in fact. By increasing the size of responses, DNSSEC arguably makes the amplification problem (slightly) worse.
DNSSEC is a good thing and necessary for other reasons, but it does not help amplification attacks.
2) Has anyone ever proposed adding to the DNS protocol something vaguely reminicent of the old ICMP Source Quench? If so, what became of that proposal?
<snip>
Basically, the whole idea is just simply to allow a victim to switch to "safe TCP only mode" with all of the intermediaries that are participating
The problem with that idea is that it needs software updates on both the reflecting DNS server and the victim. It also seems to require keeping a lot of soft state in the endpoints.
Altogether, it seems easier for everyone to just apply RRL patches, do BCP38 and de-peer with people who don't do BCP38.
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
