On Aug 5, 2015, at 4:32 PM, Stephane Bortzmeyer <bortzme...@nic.fr> wrote: > The vast majority of open resolvers are broken CPE, with a poor and > limited implementation of DNS, or very old BIND not maintained for > years. I think it's unlikely they will be upgraded to support cookies.
Right, but it wouldn’t surprise me to see a broken CPE in the future that implements cookies if they do catch on, so this is only comforting in the short term. > If you do a reflection attack, or a poisoning attack, you cannot use > your legit IP address. True. What I describe only works for attacks where the bots or open resolvers themselves are sending the packets. If that one objection were the only problem with this proposal, you might say that it’s worth doing for the sake of mitigating the two other attacks you mentioned.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
