DNS was Re: Internet Vulnerabilities

... beyond that, security and anycast don't mix well without the data
being authenticated, e.g. dnssec.

i won't disagree. anycast's cost:benefit analysis is compellingly against
its use in most situations. root name service may be one of them. now, if
the ops community can figure out a way to secure the edge->core boundary
such that packets heard by a DDoS victim will have reasonable IP source
addresses, then that would be better overall. however, in the 36 hours
since i last cleared the ipfw stats on c.root-servers.net, i see:

  packets bytes rule

938231392 60808555788 pipe 1 udp from any to any 53 in
  48248328 2919355408 deny ip from to any in
  34199691 2254707782 deny ip from to any in
  16030262 1061648337 deny ip from to any in

and so i don't see much chance that IP source addresses will be believable
any time during the working lives of anyone now reading this. i also think
the likelihood of wide scale dnssec deployment within the next year or two
is two orders of magnitude lower than the likelihood of a DDoS against the
root server system. "more later."