On 1 August 2012 10:39, Don Stokes <don@daedalus.co.nz> wrote:
Seriously, he utterly misses the point. Signing A records and so-forth provides very little in the way of end to end protection, true, but what it does provide is a trusted, consistent mechanism to place security information (public keys, certificates et c) which end-to-end services can use to secure those services, without having to involve third parties in every single deployment.

Basically, think of it not in terms of security for the DNS but as security information provided through the DNS.

and I fully appreciate the integrity facilities which DNSSEC provides.  The bits which concern me more are the points where he raises that through the use of DNSSEC, infrastructural DNS servers become DoS traffic amplifiers.

I suspect this is still true of non-signed DNS traffic too, the much larger replies complicate matter somewhat however.

How would we protect ourselves as DNS operators from becoming DoS traffic originators in this scenario?

Thanks,
--

Mark Goldfinch | Systems Team Leader

MODICA GROUP

nz: +64 4 498 6000

THIS MONTH - Shiny shiny and new! check out our new website at www.modicagroup.com and tell us what you think.