[Discuss] free SSL certs from the EFF
Edward Ned Harvey (blu)
blu at nedharvey.com
Thu Dec 4 20:35:30 EST 2014
> From: discuss-bounces+blu=nedharvey.com at blu.org [mailto:discuss-
> bounces+blu=nedharvey.com at blu.org] On Behalf Of Derek Atkins
>
> Richard Pieri <richard.pieri at gmail.com> writes:
>
> > Which results in a denial of service for clients if DNSSEC is
> > enforced. That's not protecting users; that's dumping them into black
> > holes.
>
> Some say DoS, some say protected. If someone is trying to poison my DNS
> Cache I'd rather ignore them and blackhole than accept their attack and
> go to the wrong place. Besides, DNS allows me to go ask multiple
> sources for information.
+1
The correct behavior is to refuse to use corrupted data, and probably retry the query to get good data. If an intermediary router wants to cause a DoS, then stripping security would be the stupidest way possible to execute such an attack - rather than just dropping the packet.
More information about the Discuss
mailing list