North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Verisign broke GTLDs again?
Florian Weimer wrote: > * Michael Tokarev: > > >>Well ok, I know it's kinda expected -- "i don't understand what you're >>asking for, can't even repeat your question". But the next question >>is -- *why*? > > EDNS0 can be easily abused for traffic amplication purposes. 8-( Root and TLD nameservers rarely have large answers to queries to exceed 512 bytes. (And for those rare cases if they exists, TCP connection should be established to get a reply -- this does not work quite well for forged UDP traffic, but it's still more legitimate traffic than larger UDP replies). But this does not really matter. I repeat: One don't have to "support" EDNS0, just don't report it as error, like broken routers does with ECN. And in this "mode of operations" there's no MORE ways to abuse it for the said purpose than currently exists. /mjt