[cabfpub] Pre-Ballot 125 - CAA Records
Phillip Hallam-Baker
philliph at comodo.com
Mon Jul 21 18:37:09 UTC 2014
Over and above any other DNS record that already exists...
CAA records are much smaller than DNSSEC records. And the whole amplification attack meme is pretty silly since virtually all network hardware is going to find the overhead of packet processing much higher than payload processing. Sure there might be a DNS server that can saturate its output bandwidth, those certainly existed in the 1990s. But these days its actually quite rare.
On Jul 21, 2014, at 2:11 PM, Rick Andrews <Rick_Andrews at symantec.com> wrote:
> Siggy, how does the addition of a CAA record make DoS or DNS amplification attacks more problematic?
>
> -----Original Message-----
> From: Sigbjørn Vik [mailto:sigbjorn at opera.com]
> Sent: Monday, July 21, 2014 12:21 AM
> To: Rick Andrews; Geoff Keating; Stephen Davidson
> Cc: cabfpub
> Subject: Re: [cabfpub] Pre-Ballot 125 - CAA Records
>
> On 17-Jul-14 23:51, Rick Andrews wrote:> Siggy,
>>
>> There are a number of Security Considerations in Section 6 of the CAA
>> RFC (_http://tools.ietf.org/html/rfc6844#page-13_) which detail
>> possible abuse.
>
> I don't see DoS or DNS amplification listed there.
>
> --
> Sigbjørn Vik
> Opera Software
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140721/143a13eb/attachment-0003.html>
More information about the Public
mailing list