On Tuesday, October 22, 2013 18:57:41 Haya Shulman wrote: > > On Tue, Oct 22, 2013 at 6:20 PM, Rubens Kuhl <rube...@nic.br> wrote: > > > > Would DNSCrypt, supported by OpenDNS, be a possible mitigation to this issue? > ... > > Would IPSEC between resolver and upstream forward be a possible mitigation to this issue ? > > Sure, both solve the problem. In particular, any secure channel protocol, > between the proxy resolver and an upstream forwarder, prevents the attacks.
so, if we develop eastlake cookies, which is necessary in any case due to the ddos reflection problems, then your fragmentation related problems go away? vixie
_______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs