On Aug 27, 2008, at 3:45 PM, Dean Anderson wrote: > I'm not sure I agree with your summary of the NSEC/NSEC3 issues. I'll > mostly ignore your summary for now and just note that there are a > number > of other serious flaws.
It's hard to take a statement like this seriously when it's not backed up by some clarity as to what's being said. If there are other serious flaws, let's hear about them. > 3. Ordinary cache poisoning still possible in DNSSEC-aware non- > verifying > caches, resulting in a DOS. Right, we know about that, and what to do about it. > 4. Crypto-overload DOS attack on verifying caches. We know about this also, and know what to do about it. > 5. New, hard to mitigate, DDOS attack using forged DNSSEC queries to > roots, TLDs, large domains with an amplification factor near 100:1. Details? Are you referring to the fact that a DNSSEC lookup looks up more RRsets than a PODS lookup? Is there a situation where all these lookups hit the same server? _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop