William F. Maton Sotomayor wrote: > On Wed, 10 Sep 2008, Mark Andrews wrote: > > >> In message <[EMAIL PROTECTED]>, David Conrad >> writes: >> >>>> At his point, I will sit quietly for a while and let the WG comment >>>> on whether they think that your proposed >>>> alternative mitigation is adequate. On Friday, the WG chairs will >>>> gauge consensus and I will take appropriate action. >>>> >>> Given the stunningly successful implementation of BCP038 over the 8 >>> years since it has been published, I believe relying on it as a >>> mitigation strategy against open resolver attacks is simply silly and >>> discussing it largely a waste of time. >>> >> While I encourage everyone to deploy BCP 38, wherever possible, I >> don't believe we should be relying on BCP 38 deployment to prevent >> recursive servers being abused. >> > > BCP 38 is one tool in the mitigation box, but it doesn't mean that it can > only be the *only* tool available. So I agree with Mark. > First layer of defense: BCP 38
Second layer of defense (because there are those who cannot or will not implement the first layer): Restrict recursive service by default Third layer of defense (because there are those who cannot or will not implement the first or second layers): Reactively filter abusive recursors (as Dean suggested). - Kevin _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop