On Mon, Aug 18, 2008 at 01:56:09PM -0400, Dean Anderson wrote: > DNSSEC caches that verify are subject to a crypto-overload attack by > large numbers of queries.
Surely another way to express the same thing is, "DNSSEC-enabled servers and caching recursors require many more resources in order to avoid susceptibility to DoS." Or something like that. After all, resource-exhaustion attacks are also possible against DNSSEC-oblivious systems. DNSSEC does open a new line of such attack, and one needs to provision for it. No? A -- Andrew Sullivan [EMAIL PROTECTED] +1 503 667 4564 x104 http://www.commandprompt.com/ _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
