I've read the _Silence Is Not Golden_ paper (https://dl.acm.org/doi/pdf/10.1145/3576915.3616647) and I've written a response to it, and to Ondrej, and to this thread generally. It's as long as an RFC so based on early feedback I've posted it to my "blog": http://consulting.m3047.net/dubai-letters/silence-is-tactical.html (That server does not take kindly to automated trespass.)
As I have stated there, the malaise in question is easily achievable for authoritative server operators as an own goal / unforced error; severity depends on how many stakeholders' domains are administered (pain = count(stakeholders) * count(domains)). To the extent that it is a disease prevalent in the population it is incubated and spreads on the overcrowded ranches and feedlots of the public DNS providers and resolver operators whose stocks are traded on the British financial exchanges far from the grasslands and pastures of Colorado and Wyoming. Espousing the view that private operators should respond to literally thousands of spoofed / abusive queries for every one legitimate one cannot be taken seriously by sane people, and is not observed in the field. I strongly suggest that this should not be a hill that /ISC /chooses to die on. Why does the _BIND 9_ Response Policy Zone (RPZ) implementation provide Drop and NXDOMAIN policies, but not REFUSED? The right not to respond SHOULD be entrenched as a core Internet principle. The notion that unrelated parties are obliged to respond on behalf of third parties who do not coordinate with them is strange, overreaching, and dangerous. I welcome discussion publicly or privately. -- Fred Morris, internet plumber
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.
