> From: [email protected] [mailto:discuss-
> [email protected]] On Behalf Of Derek Atkins
> 
> Richard Pieri <[email protected]> writes:
> 
> > Which results in a denial of service for clients if DNSSEC is
> > enforced. That's not protecting users; that's dumping them into black
> > holes.
> 
> Some say DoS, some say protected.  If someone is trying to poison my DNS
> Cache I'd rather ignore them and blackhole than accept their attack and
> go to the wrong place.  Besides, DNS allows me to go ask multiple
> sources for information.

+1

The correct behavior is to refuse to use corrupted data, and probably retry the 
query to get good data.  If an intermediary router wants to cause a DoS, then 
stripping security would be the stupidest way possible to execute such an 
attack - rather than just dropping the packet.
_______________________________________________
Discuss mailing list
[email protected]
http://lists.blu.org/mailman/listinfo/discuss

Reply via email to