Chuck Swiger wrote: > It seems clear that people who want to run a recursive nameserver will > be able to change this if your proposed change is made. However, which > problem that you are trying to solve with it? Well, having a wide open anything on the network is pretty much a bad idea nowadays. While the current press surrounding the open resolver DDoS problem is drawing attention to this particular part of the issue, it's bad for us to start what is supposed to be a local resolver in wide open mode in any case. (Which, as I pointed out already, is not what we are doing.) > Yes, people can send queries with a spoofed sender to perform a DoS, and > yes, permitting recursive queries lets the attacker choose a large > response from any zone rather than having to tailor the attack to each > nameserver. Yes, that is one variant of the attack that we're trying to mitigate. > The right solution to that problem is egress filtering of spoofed > traffic at the ISP-level. Yes, but long years of history (not to mention the obvious economic incentive) have shown that this will not happen. Therefore we need to attack this problem directly, using available mechanisms. Doug -- This .signature sanitized for your protectionReceived on Thu Jun 08 2006 - 20:22:50 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:57 UTC