On Apr 6, 2012, at 11:13 AM, Jimmy Hess wrote: >> It turns out that DNSSEC makes a respectable traffic amplification vector: > This is definitely a problem.
Yep. So are SNMP reflection attacks (biggest attack I've seen was one of these) and any other datagram-oriented query/response protocol. > Unfortunately, what really should happen is DNSSEC should be revised, to, > either make sure that the client initiating the query has to either do more > work than the server, or make a round trip before the DNSSEC data can > be requested. Treating a symptom and ignoring the disease. See http://tools.ietf.org/html/bcp38 > One way of accomplishing that would be to indicate that DNSSEC data > can be transmitted only over DNS when using TCP; I suspect the root server operators might not like this idea very much. Regards, -drc