[Chugalug] Signing DNS Queries

David White dwrudy at gmail.com
Wed Sep 4 15:28:13 UTC 2013


Oh, I agree completely - open resolvers are a bad idea to begin with. But
so many of them are out there (misconfigured), and major ISPs have them for
their customers, that they aren't going away.
 On Sep 4, 2013 11:19 AM, "Dave Brockman" <dave at brockmans.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 9/4/2013 10:35 AM, David White wrote:
> > .... or, is what I just described exactly what DNSSEC is (for you
> > DNSSEC geeks out there - this is still 1 aspect of DNS I still
> > don't fully understand)
>
> No, it does nothing of the sort.  The solution to the DNS
> amplification issue is the same thing as what we did when people
> started abusing SMTP, we shut off open relays.  Shutting down open
> resolvers is the logical outcome.  And if you think DNS amplification
> factors are huge, check out SNMP amplification factors....
>
> Regards,
>
> dtb
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQEcBAEBAgAGBQJSJ0zZAAoJEMP+wtEOVbcdIC8H/3MPADOs+mJFqsDXutXER6RW
> aIWfBhyumecN+U8AApeha9QnqkEJHCkui0rOoGfVVZSdqtFNvkZqwVFRHO/zu4uz
> 4B9tSAPdX47Na2wWqpAq+iQhFL2LTMnevr8wfhQvf0JPsS/f3spIARn0pRB2cp0T
> UNjleFUDEJlTv6MVTcd3s3Fi0jkybRyFSk8Ja13dOq5FnT0ckMyVGeZNttdvsoWm
> 53E48WufWfXF6OBKpzDizNpYjSkEMXmrUr1khpCmkfk5mDaHk6f/J9PKLZP2f+yv
> djk2yK00OxG82v1T607o+AoqWCbji5smPjkfDVG9+86EPVdh0qa2OCNtSLInI+k=
> =vb6o
> -----END PGP SIGNATURE-----
> _______________________________________________
> Chugalug mailing list
> Chugalug at chugalug.org
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://chugalug.org/pipermail/chugalug/attachments/20130904/e9e0fdd9/attachment.html>


More information about the Chugalug mailing list