...
Defensive solutions for TCP can not cope with the attack levels that might be created by a small bot-net. TCP quickly suffers from resource exhaustion. DNS over UDP avoids this propensity. However, the brute strength of DNS over UDP can be leveraged to attack other network infrastructure, and perhaps overwhelm resource capacity. This is especially a concern when an MTA authorization protocol ignores UDP exponential back-off and then prematurely initiates additional transactions. This is made even more destructive when message recipients generate an order of magnitude more transactions transformed by message local-parts directed toward any victim from fully cached DNS records. This provides for free DDoS attacks while spamming. These attacks might also be used to instigate DNS cache poisoning.
Right. Furthermore... I think the discussion began, when Doug mentioned the concerns with abuse of SPF validation by receiving MTA/MDA/MUAs (in fact, suggesting I'll expand on this risk, which I mentioned in my review article, but I agree, not in sufficient detail). These abuses involved DDoS as well as DNS poisoning (a la Kaminski).
I think it is important to remember that all these solutions discussed later in this thread (DNS-sec, DNS over TCP, DNS over SCTP, etc.), are long-term solutions; i.e., as long as most of the Net continues using DNS over UDP (at least as one or even default option), and not yet adopting DNS-sec, these risks remain- I refer to the risks due to fully RFC compliant SPF validation by MTA/MDAs (and MUAs, although I'm not sure this qualifies as RFC compliant).
--
Amir Herzberg
Associate Professor, Dept. of Computer Science
Bar Ilan University
http://AmirHerzberg.com