> One observation is that the delegation to CPE routers (home gateways) is > contradictory to RFC6092: > > REC-8 By DEFAULT, inbound DNS queries received on exterior > interfaces MUST NOT be processed by any integrated DNS > resolving server. > > Not suggesting delegation to CPE shouldn't happen, but would it would > negate this requirement.
DNS amplification attacks caused, at least partly, by DNS proxies in CPEs is a significant problem. Note that this is often due to the CPEs being open to *recursive* queries. A delegation would only need replies to zones the CPE was authoritative for - however, I'm afraid such a distinction would be lost on many CPE manufacturers. There are also ISPs that block outgoing DNS queries to (residential) CPEs, precisely because of DNS amplification attacks by these CPEs. Steinar Haug, Nethelp consulting, sth...@nethelp.no _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
