> From: =?ISO-8859-1?Q?Matth=E4us_Wander?= <matthaeus.wan...@uni-due.de>
> > Hmmm for authoritative servers, we might also emit a CNAME "challenge".= > > We could encode the encrypt the correct destination in the CNAME, for A= > and > > AAAA this is trivial. If you come back to resolve > > encoded-12.32.43.43.attackeddomain.com, you get 12.32.43.43 etc. > There has been recently a patent granted with this method: > http://www.freepatentsonline.com/8261351.html > > Though they don't use it do decide about blocking, Is that because converting a reflected flood of DNSSEC signed responses to a reflected flood of DNSSEC signed challenge CNAMEs is not an impressive defense for DNS reflection attacks? Never mind that packet losses during an attack can increase and so doubling the number of packets that must succeed for a legitimate DNS/UDP transaction is unlikely to be helpful. > but use the CNAME > challenge on every query, still providing a small amplification. This > comes at the risk of running into resolver issues with NS or MX records..= and resolver CPU loads for DNSSEC signatures for all of those synthetic challenge CNAMES during an attack. Vernon Schryver v...@rhyolite.com _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs