Hacker News new | comments | show | ask | jobs | submit login

> I'm not very familiar with DNSCurve but I don't think it has any mechanisms to prevent amplification.

The DNSCurve page discusses amplification:

https://dnscurve.org/amplification.html

The main point is that amplification is primarily a problem because of DNSSEC records causing small requests to generate very large responses, so if people would use DNSCurve instead then even if the responses were somewhat larger than the requests they wouldn't be so by a factor of 120:1 or more, which is the real issue.

But yes, there are multiple ways to solve the problem. CurveCP (a derivative of DNSCurve) does the same thing, requiring the initial packet to be as large as the response. For that matter DNSCrypt is somewhat a derivative of DNSCurve/CurveCP as well.

The point is that it's quite possible to solve the problem and still use UDP.




Applications are open for YC Winter 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: