I'm interested in improving the baseline.
-
-
And DNSSEC is a step backwards, now that we've eliminated RSA-1024 form CA ecosystem
2 replies 0 retweets 1 like -
-
Replying to @dakami @WatsonLadd and
No, it’s just a tree rooted on RSA-1024 keys. In 2016. But don’t worry! 2048 is planned!
1 reply 0 retweets 5 likes -
Replying to @tqbf @WatsonLadd and
looks like that changeover is in a month. Whereas you're scheduled to deliver an alternative never
2 replies 1 retweet 3 likes -
Replying to @dakami @WatsonLadd and
Correct, because no alternative is needed; the effort is harmful.
1 reply 0 retweets 1 like -
Need I point out that long DNS responses are hellfire missiles of DDOS?
1 reply 0 retweets 2 likes -
Replying to @WatsonLadd @dakami and
That’s true, but really, all of DNS is that (for instance, ANY queries.)
1 reply 0 retweets 0 likes -
Replying to @tqbf @WatsonLadd and
ANY/MX/SRV/NS queries are for non-interactive lookups, can force TCP without user impact.
2 replies 0 retweets 1 like -
NSEC/NSEC3 also require O(logN) tree lookups. O(1) hash is possible without.
2 replies 0 retweets 0 likes
Bottom line: DNSSEC does make DNS DDOS mitigation much harder.
-
-
Replying to @colmmacc @WatsonLadd and
Don’t get me wrong: DNSSEC DDOS is a problem! Just not biggest DNSSEC problem.
1 reply 0 retweets 1 like -
it's a DNS problem, not a DNSSEC problem
1 reply 0 retweets 0 likes - 2 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.