>
>> First layer of defense: BCP 38
>>
>> Second layer of defense (because there are those who cannot or will not
>> implement the first layer): Restrict recursive service by default
>
> If you mean 'restrict software configuration defaults', I'm OK with
> that.
>
> If the draft is amended to only recommend that vendors should alter
> their _default_ software configuration, then I will not object to the
> draft.
>
>> Third layer of defense (because there are those who cannot or will not
>> implement the first or second layers): Reactively filter abusive
>> recursors (as Dean suggested).
>
>
Folks,
Based on the response that we have seen from the WG so far, I don't see
any reason to amend the draft. BCP 38 is already published.
The questions before the WG are:
- is BCP38 enough to mitigate the attack vectors described in
draft-ietf-dnsop-reflectors-are-evil-06
- is filtering after the attack has begun good enough
If the answer to both of these questions is "no", the document can go
forward as is.
Ron
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
