On 1/08/2012, at 11:49 AM, Mark Goldfinch <mark.goldfinch(a)modicagroup.com> wrote:
On 1 August 2012 10:39, Don Stokes <don(a)daedalus.co.nz> wrote:
Seriously, he utterly misses the point. Signing A records and so-forth provides very
little in the way of end to end protection, true, but what it does provide is a trusted,
consistent mechanism to place security information (public keys, certificates et c) which
end-to-end services can use to secure those services, without having to involve third
parties in every single deployment.
Basically, think of it not in terms of security for the DNS but as security information
provided through the DNS.
and I fully appreciate the integrity facilities which DNSSEC provides. The bits which
concern me more are the points where he raises that through the use of DNSSEC,
infrastructural DNS servers become DoS traffic amplifiers.
I suspect this is still true of non-signed DNS traffic too, the much larger replies
complicate matter somewhat however.
How would we protect ourselves as DNS operators from becoming DoS traffic originators in
A DNS DoS traffic amplifier just needs a large DNS record anywhere on the Internet to
reflect at the target. While DNSSEC does mean there will be more records like that
available to choose from, it doesn't create a problem where there wasn't one
before. A claim could be made that large records on well-connected servers were hard to
find but I doubt that would have stopped an attacker for more than a few minutes.
Mark Goldfinch | Systems Team Leader
nz: +64 4 498 6000
THIS MONTH - Shiny shiny and new! check out our new website at www.modicagroup.com
tell us what you think.
NZNOG mailing list
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 931 6977
mobile: +64 21 678840