Roy Arends <r...@dnss.ec> writes: > That, IMHO is already captured by the last paragraph. I did not > explicitly write a recipe of how to do that, and which servers could > be used for that :-). Could you suggest text to improve the last > paragraph without naming services?
Erg. I hate it when I have to come up with text :-P How about replacing the last sentence of security considerations with: This method can be abused by intentionally deploying broken zones with agent domains that are delegated to victims. This is particularly effective when DNS requests that trigger error messages are sent through open resolvers [RFC8499] or widely distributed network monitoring systems that perform distributed queries from around the globe. Implementations SHOULD rate-limit outgoing error messages to a recipient to no more than 1 a minute. [reword as you will, of course... the last sentence subject to the largest debate] -- Wes Hardaker USC/ISI _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
