To:
dnsop@cafax.se
From:
Bruce Campbell <bruce.campbell@ripe.net>
Date:
Thu, 31 Oct 2002 17:18:12 +0100 (CET)
In-Reply-To:
<200210310715.QAA04653@necom830.hpcl.titech.ac.jp>
Sender:
owner-dnsop@cafax.se
Subject:
Re: DoS and anycast
On Thu, 31 Oct 2002, Masataka Ohta wrote:
> Bruce;
>
> > This secures the backchannel. This does not stop the individual anycast
> > roots from being the subject of DoS attacks. Given that we do not see a
> > definitive way to stop _all_ DoS attacks[1], we should focus on making
> > sure that the data retrieved is authoritative.
>
> Hugh?
>
> Protection against DoS attacks and proteciton against forgery are
> conceptually orthogonal.
For one class of DoS attack, yes. For DoS attacks which are purely
focused on the Denial aspect, the (anycast) victim root can have every
protection against forgery that you can name, and it still would have its
service unavailable to legitimate clients.
Hence anycast is a good idea, in that there are more targets, thus the
possibility of _all_ roots being taken out diminishes.
> Note that an ISP may run anycast root servers on all the 13 root
> server addresses that DoS on some does not redirect query to a
> root server operated by someone else.
Certainly, and theres nothing technical from stopping ISPs from doing that
today.
> > Hence, we're back to the
> > previous thread on this list, being a proposal to sign the root zone.
>
> Even if you believe in public key cryptography, what's wrong with
> https?
You mentioned using https for (anycast) roots to _retrieve_ the root zone
from an authoritative source. Wonderful, it'd definitely be a workable
solution for this backchannel, hence theres nothing wrong with https in
that context.
However, signing the root zone helps the clients, who, due to the design
of DNS, do not have the option of using https to query the roots.
> Masataka Ohta
--
Bruce Campbell RIPE NCC
#----------------------------------------------------------------------
# To unsubscripbe, send a message to <dnsop-request@cafax.se>.