On 1 August 2012 10:39, Don Stokes <don(a)daedalus.co.nz> wrote:
Seriously, he utterly misses the point. Signing A
records and so-forth
provides very little in the way of end to end protection, true, but what it
does provide is a trusted, consistent mechanism to place security
information (public keys, certificates et c) which end-to-end services can
use to secure those services, without having to involve third parties in
every single deployment.
Basically, think of it not in terms of security for the DNS but as
security information provided through the DNS.
and I fully appreciate the integrity facilities which DNSSEC provides. The
bits which concern me more are the points where he raises that through the
use of DNSSEC, infrastructural DNS servers become DoS traffic amplifiers.
I suspect this is still true of non-signed DNS traffic too, the much larger
replies complicate matter somewhat however.
How would we protect ourselves as DNS operators from becoming DoS traffic
originators in this scenario?
*Mark Goldfinch | Systems Team Leader
nz: +64 4 498 6000
*THIS MONTH* - Shiny shiny and new! check out our new website at
and tell us what you think.