[nsp-sec] DNS DDoS uptick

[Chris Morrow]

On Tue, 7 Apr 2009, Florian Weimer wrote:

> ----------- nsp-security Confidential --------
>
> My personal opinion (and you probably won't like it) is that this
> issue, even in a much escalated variant, can be dealt with by several
> steps:

(not disagreeing with you, just a question or 2)

>
>  - a widely replicated root of a limited size (replication must
>    remain feasible)

as in . not sun.com. right? (though pushing out sun.com. to many anycasted 
or 'local' places has its merits as well, I think. and associated 
tradeoffs with management of course.)

>
>  - use of per-country or regional TLDs for most services, with
>    dedicated name service (so that attacks on the TLD name service
>    can be mitigated locally, and non-local traffic can be filtered
>    graciously)

This seemed like a great idea 'back in the day' but everyone essentially 
bought .com domains :( and I don't see the ccTLD folks hosting in-country 
(for all but the larger countries at least) I hope that the ccTLD op has 
in their contract that they must run a copy 'local' to the cc, but...

>
>  - important services must have backup name service on the same
>    network(s), not just centralized, external DNS service

can you define this a little better? I think it's important to have DNS 
servers in more than one location (network and geography) but is that what 
you meant here? or 'all of sun.com's nameservers should be in sun's 
network'?? Clearly pointing all of your DNS servers into register.com was 
a 'bad plan' last week :( but if you are the attackee you'd have just 
brought the pain to register.com & 'otherprovider' :(

>
> Some of the services/setups I use regularly aren't too far away from
> that.

clarify?

-Chris
(is this a set of things that should end up in a more public and 
accessible format? not rfc2182, which for whatever reason people aren't 
reading/heeding)