[scrpl]

Small, less complex protocols are inherently less likely to be insecure all things being equal, simply due to reduced attack surface.

DNS was created for a different environment, at a time when security wasn't at forefront so it's not a good example of the opposite.

[Avamander]

This is such a strong claim I'd really appreciate something other than "smaller is better"

Abuse and abuse vectors vary wildly in complexity, some complexity is certainly required exactly to avoid dumb bottlenecks if not vulnerabilities. So based on what are you saying something simple will inherently resist abuse better?

[baby_souffle]

> Small, less complex protocols are inherently less likely to be insecure all things being equal, simply due to reduced attack surface.

That feels intuitive in the "less code is less bugs is less security issues" sense but implies that "secure" and "can't be abused" are the same thing.

Related? Sure. Same? No.

Oddly enough, we probably could have prevented the replay/amplification dos attacks that use DNS by making DNS more complex / adding mutual authentication so it's not possible for A to request something that is then sent to B.

[LK5ZJwMwgBbHuVI]

We could have prevented the replay/amplification dos attacks that use DNS by making DNS use TCP.

In practice though the only way to "fix" DNS that would've worked in the 80s would've probably been to require the request be padded to larger than the response...

[smallnix]

But TCP is way more complex

[LK5ZJwMwgBbHuVI]

... yeah? I know? "In practice though the only way to "fix" DNS that would've worked in the 80s would've probably been to require the request be padded to larger than the response..."

It's not as complex as some "mutual authentication" scheme though lmao