>> Well then we're completely screwed because nothing is going to get >> DNSSEC implemented quickly, and the 10 hour number is going to get >> shorter with improvements in hardware and increased parallelism.
this ain't like that. rate limiting is a simple fix, if your RDNS happens to have a GigE path all the way back to the attacker population, you can put in a software firewall rule limiting ingres to 10Mbit per source IP and this attack recedes. note that most RDNS' are connected by a lot less than GigE on their full path toward possible attackers, so this is largely theoretical. so while Polyakov's attack is another reason to invest in DNSSEC for the long term, it is NOT a reason to panic again in the immediate/short/medium term. -- Paul Vixie -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
