* Victor Duchovni:
> The optimization is for DDoS conditions, especially amplification via
> forged source IP DNS requests for ". IN NS?". The request is tiny,
> and the response is multiple KB with DNSSEC.

There's only one required signature in a ". IN NS" response, so it
isn't as large as you suggest.  (And the priming response is already
larger than 600 bytes due to IPv6 records.)

DNSKEY RRsets are more interesting.  But in the end, this is not a DNS
problem, it's a lack of regulation of the IP layer.

-- 
Florian Weimer                <fwei...@bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstra├če 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to