On 8/3/2012 4:28 AM, Dobbins, Roland wrote: > On Aug 3, 2012, at 10:07 AM, Mohamed Lrhazi wrote: > >> I guess I should ask the same question about side effects when there are no >> configuration mistakes at all :) > One unintended consequence of DNSSEC deployment is that it has made DNS > reflection/amplification attacks even easier - rather than have to dork > around looking for large TXT records or issuing ANY queries, the attack is > guaranteed that he'll get at least a 1300-byte response for all spoofed the > queries he issues to DNSSEC-capable DNS servers.
i believe the largest secure dns responses are negative. qname proof + apex proof + wildcard proof. it's not about TXT and it never was about ANY. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
