Dean,
On 1 Sep 2008, at 20:57, Dean Anderson wrote:
mostly operations people (as opposed to credible engineers)?
If av8.net starts selling t-shirts, I'll take one with that phrase.
There is no harm in public resolvers.
Not to the people running the resolvers, usually, no.
Joe
On Tue, 2 Sep 2008, Joe Abley wrote:
Dean,
On 1 Sep 2008, at 20:57, Dean Anderson wrote:
mostly operations people (as opposed to credible engineers)?
If av8.net starts selling t-shirts, I'll take one with that phrase.
Perhaps a t-shirt should have this quote from Paul Vixie:
On Sep 2, 2008, at 9:47 AM, Joe Abley wrote:
There is usually no harm to anyone from open resolvers. No one has
reported any further attacks since this draft was conceived.
That is not true. It's possible that the forums in which such attacks
are discussed are not available to you, of
On Tue, 2 Sep 2008, Joe Abley wrote:
On 2 Sep 2008, at 11:04, Dean Anderson wrote:
There is no harm in public resolvers.
Not to the people running the resolvers, usually, no.
There is usually no harm to anyone from open resolvers. No one has
reported any further attacks since
If someone could forward this to DNSEXT WG, I would appreciate it.
Thanks,
--Dean
-- Forwarded message --
Date: Sat, 30 Aug 2008 23:14:44 -0400 (EDT)
From: Dean Anderson [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: DNSKEY / multiprecision number format?
I'm
On 2 Sep 2008, at 13:43, Dean Anderson wrote:
Really? Your position is that there are attacks but all these attacks
are somehow being kept secret? People talked about ping floods, syn
floods, and an uncountable slew of other attacks. Incredible.
My point is that there are a large number of
On Mon, Sep 01, 2008 at 04:49:12PM -0400,
Paul Wouters [EMAIL PROTECTED] wrote
a message of 18 lines which said:
many issues there which are not addressed [...] authenticated denial
of existence,
Although I agree with your criticism that there is no published
*specification* of DNScurve
2) Why would anyone capble of programming bother searching for open
recursors (with often small connection speeds) when they can use 100+
root servers with large amplification factors and high bandwidth
connections at key exchange points?
Because there are much better amplification
Dean Anderson wrote:
A useful
technique for scan detection is a non-production special server.
Scanners show up in the logs; no one else does. Dnscache, BIND, and
PowerDNS all have necessary the logging capabilities.
http://en.wikipedia.org/wiki/Honeypot_(computing)
- Kevin
On Mon, Sep 01, 2008 at 04:49:12PM -0400,
Paul Wouters [EMAIL PROTECTED] wrote
a message of 18 lines which said:
many issues there which are not addressed [...] authenticated denial
of existence,
Although I agree with your criticism that there is no published
*specification* of
If someone could forward this to DNSEXT WG, I would appreciate it.
Thanks,
--Dean
-- Forwarded message --
Date: Sat, 30 Aug 2008 23:14:44 -0400 (EDT)
From: Dean Anderson [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: DNSKEY / multiprecision number format?
On Tue, 2 Sep 2008, Joe Abley wrote:
On 2 Sep 2008, at 13:43, Dean Anderson wrote:
Really? Your position is that there are attacks but all these attacks
are somehow being kept secret? People talked about ping floods, syn
floods, and an uncountable slew of other attacks. Incredible.
On Tue, 2 Sep 2008, Danny McPherson wrote:
On Sep 2, 2008, at 12:44 PM, Dean Anderson wrote:
I find this hard to believe from three standpoints:
1) the expected number of open DNS recursors and their collective
bandwidth doesn't seem to be large enough to support a 40Gbps attack.
13 matches
Mail list logo
