On 2014-02-17, at 11:58, joel jaeggli <joe...@bogus.com> wrote: > On 2/16/14, 8:48 AM, Joe Abley wrote: > >> We can't do anything that will cause larger responses, because EDNS >> support is not widespread, and in any case the network can't reliably >> deliver fragments. > > in the context of reflection attacks (next paragraph) more packets is > perhaps not the most helpful thing.
The problem to solve at the DNS end of the equation boils down to good enough client authentication to be able to distinguish between attack traffic and legitimate queries. The problem is not "how to stop putting things in the DNS". Waiting for the universal implementation of the recommendations in BCP38 doesn't seem like the most proactive approach. Joe
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop