DNS Sec amplifies even more a DNS amplification DDOS attack

Although a security initiative aimed at making DNS more secure exists — DNSSEC — it does not necessarily address the issue of spoofed source addresses. DNS requests and responses typically use the UDP protocol, rather than the TCP protocol. The latter requires a three-way handshake to establish a channel and confirm with the machine it is talking to that it did, in fact, initiate a connection. The former, however, does not.


Instead of being an issue that DNSSEC might solve, it is actually a transport protocol problem that has little to do with the additional security measures that DNSSEC might offer. However, as Cloudflare and others have pointed out in the past, DNSSEC can make the issue worse, as the additional keys required to authenticate records further increases the magnitude of amplification that an attacker has access to.

the domainextension .be uses dnssec .......

what are the risks of that because if we or its installations become a target or are used against a target .....

The comments are closed.