Paul Vixie on DNSSEC vs. DNSCurve
March 12 2010 by 
Cricket Liu (Infoblox)
When I wrote my recent blog posting on DNSSEC vs. DNSCurve, I wasn't aware that Paul Vixie had already written his own blog entry on the same subject. It also explains ISC's stance on DNSCurve. Recommended reading.
Posted in DNSSEC | 
1 comments
Mar 23, 2010 at 9:10 AM
I was confused by Paul's blog - he indicates that, quote: "...UDP source port randomization is good enough to take the Dan Kaminsky spoofed-flood class of attack completely off the table..." - I commented on his post about this statement, to which he responded that ten hours of Gigabit-speed flooding is not a practical attack.
I'd say there's a big difference between "not practical" and "not possible" - moreover, I'd think that what "today" is not practical, it may become so in the future as internet speeds continue to evolve (increase).
Bottom line, if UDP port randomization is enough to take care of the issue, why are we even discussing DNSSEC?