It appears that Mark Andrews <ma...@isc.org> said: >The current “fixes” still leave validators more vulnerable to cpu exhaustion >attacks than eliminating colliding key tags in the signer does. This is a >protocol bug that leads to >cpu exhaustion. We, the IETF, have a duty to fix this at the protocol level.
I'm having trouble understanding how this is fundamentally different from CNAME loops, or NS sets with silly numbers of NS or A records. The kind of load is different but in each case the client needs to limit the amount of work it's willing to do. We can forbid it in the protocol but unless you have better contacts at the Protocol Police than I do, people will do it anyway. R's, John PS: Try looking up 1.2.3.4.contacts.abuse.net. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
