Re: [nznog] DNSSEC: A good or bad thing?

Hi Mark On 1/08/2012, at 11:49 AM, Mark Goldfinch wrote:

On 1 August 2012 10:39, Don Stokes wrote: Seriously, he utterly misses the point. Signing A records and so-forth provides very little in the way of end to end protection, true, but what it does provide is a trusted, consistent mechanism to place security information (public keys, certificates et c) which end-to-end services can use to secure those services, without having to involve third parties in every single deployment.

Basically, think of it not in terms of security for the DNS but as security information provided through the DNS.

and I fully appreciate the integrity facilities which DNSSEC provides. The bits which concern me more are the points where he raises that through the use of DNSSEC, infrastructural DNS servers become DoS traffic amplifiers.

I suspect this is still true of non-signed DNS traffic too, the much larger replies complicate matter somewhat however.

How would we protect ourselves as DNS operators from becoming DoS traffic originators in this scenario?

A DNS DoS traffic amplifier just needs a large DNS record anywhere on the Internet to reflect at the target. While DNSSEC does mean there will be more records like that available to choose from, it doesn't create a problem where there wasn't one before. A claim could be made that large records on well-connected servers were hard to find but I doubt that would have stopped an attacker for more than a few minutes. cheers Jay

Thanks, --

Mark Goldfinch | Systems Team Leader

MODICA GROUP

nz: +64 4 498 6000

THIS MONTH - Shiny shiny and new! check out our new website at www.modicagroup.com and tell us what you think.

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

-- Jay Daley Chief Executive .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 931 6977 mobile: +64 21 678840