The other problem with DNSSEC is that it does not get you anything today - a first correct
answer sent as a plain DNS response will still cause the DNS server to ignore subsequent
It seems like there should be some way to block responses from a client after a given number
of incorrect UDP port injection attempts - at least then an attacker would have to distribute
his attack across many different attacking computers instead of sending millions of
unsolicited responses from a single computer.