Discuss mailing list

[Alex <coyo AT darkdna.net>]

On 5/2/2012 8:22 PM, opennic AT lewman.us wrote:
> On Wed, 02 May 2012 00:22:39 -0500
> Alex <coyo AT darkdna.net> wrote:
>
>> Out of sheer curiosity, and a desire to protect my friend, Alex
>> Hanselka's pet project, I wanted to ask you all what all can be done
>> to mitigate the threat of attacks such as concerted DDOS attacks
>> against specific name servers, such as the IP address of the single
>> authoritative root name server of OpenNIC.
> Step 1. Do not have a single IP address with a single authoritative
> root name server of OpenNIC.
>
>> What attack countermeasures are possible, to mitigate attack, other
>> than the obvious anti-cracking things like making sure you have a
>> strong password, etc?
> Basically, since opennic is recreating the same environment as the
> current solitary root name servers, do what they do.
>
> Work with the ISP to do BGP routing changes to nullroute DDoS attacks
> when they occur. Implement anycast for root name servers. 
>
>> 7) Is there such a thing as name server software that allows for
>> DNSSEC and DANE that makes it easy to rotate certificates?
> Not yet. In fact, DNSSEC/DANE will increase the DoS attack surface. A
> single client can flood requests requiring crypto ops to be performed by
> the authoritative server, thereby overwhelming the CPU or dedicated
> crypto hardware.
>

Is there a way to offload or separately handle DNSSEC/DANE on a separate
farm of servers?

Maybe even if DNSSEC/DANE is out for the count, you could still resolve
the A records?

Attachment: 0xC34ED745.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature