Re: DNS Server DoS Attacks

["D. J. Bernstein" <djb@cr.yp.to>]

[ post by non-subscriber.  with the massive amount of spam, it is easy to
  miss and therefore delete mis-posts.  your subscription address is
  54830374684695-namedroppers@sublist.cr.yp.to, please post from it or
  fix subscription your subscription address! ]

Rob Payne writes:
> You want to turn the root zone into a signed "hosts.txt" (RFC 952,
> 953), and how, exactly does that scale

I already answered that: ``Effects on load: Everybody will receive the
entire zone, rather than just the parts they need. On the other hand,
any sensible format would be much smaller than DNS packet format. More
importantly, the data will be cached much more effectively than it is
with the current root-zone protocol. Most importantly, the load will be
very widely distributed.''

The last factor is, as I said, the most important one. USENET wouldn't
notice if ten copies of the root zone---or ten thousand copies---were
sent out every day.

> it did not scale the last time

Nobody really tried to make it scale, but this is beside the point.
``Root zone'' does not mean ``complete list of Internet hosts.''

---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago



--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>