2008/9/10 Ron Bonica <[EMAIL PROTECTED]>: > >> >>> First layer of defense: BCP 38 >>> >>> Second layer of defense (because there are those who cannot or will not >>> implement the first layer): Restrict recursive service by default >> >> If you mean 'restrict software configuration defaults', I'm OK with >> that. >> >> If the draft is amended to only recommend that vendors should alter >> their _default_ software configuration, then I will not object to the >> draft. >> >>> Third layer of defense (because there are those who cannot or will not >>> implement the first or second layers): Reactively filter abusive >>> recursors (as Dean suggested). >> >> > > Folks, > > Based on the response that we have seen from the WG so far, I don't see > any reason to amend the draft. BCP 38 is already published. > > The questions before the WG are: > > - is BCP38 enough to mitigate the attack vectors described in > draft-ietf-dnsop-reflectors-are-evil-06
this is like asking: "Will safe driving prevent car accidents?" Exact answer to your question is "yes", but reality is that BCP38 is not going to be universally deployed soon, so my answer with reality touch is NO. > - is filtering after the attack has begun good enough No. And I don't understand why the burden of open resolvers should be put on shoulders of attacked DNS operators. > If the answer to both of these questions is "no", the document can go > forward as is. Ondrej. -- Ondřej Surý technický ředitel/Chief Technical Officer ----------------------------------------- CZ.NIC, z.s.p.o. -- .cz domain registry Americká 23,120 00 Praha 2,Czech Republic mailto:[EMAIL PROTECTED] http://nic.cz/ sip:[EMAIL PROTECTED] tel:+420.222745110 mob:+420.739013699 fax:+420.222745112 ----------------------------------------- _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop