* Victor Duchovni: > The optimization is for DDoS conditions, especially amplification via > forged source IP DNS requests for ". IN NS?". The request is tiny, > and the response is multiple KB with DNSSEC.
There's only one required signature in a ". IN NS" response, so it isn't as large as you suggest. (And the priming response is already larger than 600 bytes due to IPv6 records.) DNSKEY RRsets are more interesting. But in the end, this is not a DNS problem, it's a lack of regulation of the IP layer. -- Florian Weimer <fwei...@bfk.de> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
