On Thu, Aug 21, 2008 at 10:12:46PM +0200, bert hubert wrote:
> A more advanced way is:
>
> 5) Stop accepting new data below the attacked apex, but also stop expiring
> it.


Ok, I've been pondering another one, and I wonder if it will work.

While under attack,

5a) become ultra-paranoid and don't accept any data except the first answer
record. Ignore new NS records, CNAME chains, additional records etc.

This would make the NSSet of the attacked domain expire, but it would be
refreshed from the parent zone when that happens.

While the attacker could try to target that event as well, it too would
be detected.

An attacker can then still take over xaaaaaaaaa.ietf.org, but he won't be
able to spread this to the NS records.

Bert

--
http://www.PowerDNS.com Open source, database driven DNS Software
http://netherlabs.nl Open and Closed source services

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: