domainkeys-feedbackbase01(_at_)yahoo(_dot_)com writes:
--- Cullen Jennings <fluffy(_at_)cisco(_dot_)com> wrote:
in section 9.1.1 an attack is considered where all the email addresses are
spoofed and sent to many locations to cause an DOS attack on the key
server.
...
correlate enough that caching ends up significantly reducing the hits to
the
KRS.
Given that caching is entirely optional, adds a layer of deployment
complexity
and adds almost no benefit to most receivers, I would not want to rely on
wide-spread deployment as a defense. The internet only deploys what it has
to,
not what it should do.
If this were true, there would be no DNS caching either.
Caching happens when it's in the cachors interest to do so.
If the choice is to suffer the real costs of throughput
degredation vs. caching, the receivers will use caches. It's
not like they have no stake in it, after all; it costs real
money to keep mail state in an MTA for longer periods of
time.
And it's manifestly untrue that it adds almost no benefit,
any more than it's true that DNS based caching adds no
benefit; you can't have it both ways.
Mike