[dnssec-deployment] DNSSEC plenary discussion paper - trust anchors, last mile, etc.

Matthew Pounsett matt.pounsett at cira.ca
Wed Jan 7 15:38:29 EST 2009


On 07-Jan-2009, at 08:18 , W.C.A. Wijngaards wrote:

> - From a conversation with Mark, I thought all of them. I recall  
> agreeing
> with him that the incremental approach had superior attack avoidance  
> in
> some scenarios. I may well be wrong, and people from ISC are better
> suited to commenting on Binds abilities here.

Without incremental validation, isn't there a huge gaping DoS  
vulnerability?  As an attacker, I don't need to flood your network to  
DoS your server, I just need to get invalid answers there faster than  
the valid ones to prevent you from ever looking up that domain.

Matt



-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
Url : http://dnssec-deployment.org/pipermail/dnssec-deployment/attachments/20090107/59fe620d/attachment.bin 


More information about the Dnssec-deployment mailing list