On Apr 6, 2012, at 11:13 AM, Jimmy Hess wrote:
It turns out that DNSSEC makes a respectable traffic amplification vector: This is definitely a problem.
Yep. So are SNMP reflection attacks (biggest attack I've seen was one of these) and any other datagram-oriented query/response protocol.
Unfortunately, what really should happen is DNSSEC should be revised, to, either make sure that the client initiating the query has to either do more work than the server, or make a round trip before the DNSSEC data can be requested.
Treating a symptom and ignoring the disease. See http://tools.ietf.org/html/bcp38
One way of accomplishing that would be to indicate that DNSSEC data can be transmitted only over DNS when using TCP;
I suspect the root server operators might not like this idea very much. Regards, -drc