[dns-operations] DNS whitelisting
David Ulevitch
davidu at everydns.net
Wed Mar 8 22:44:24 UTC 2006
On Mar 8, 2006, at 2:12 PM, Paul Vixie wrote:
> # > What you see and what you think you see are not always the same
> thing. :)
> # > Not everything has to be an honey pot, either.
> #
> # Yep -- another good argument against blocking. To quote Paul,
> people often
> # do "stupid dns tricks." They shouldn't be punished for it.
>
> they wouldn't be getting punished for doing stupid dns tricks.
> they'd be
> caught in the crossfire between non-BCP38 launchpoints and ultimate
> victims.
How far up the prefix chain would you block? By announcement? By /32
of the resolver?
If Speakeasy isn't BCP38 compliant and they have 1000's of small
businesses many of whom may be running open resolvers behind them,
are they just considered "motivation to become BCP38 compliant?"
I do think that in the short term there will be a net effect of port
53 firewalling to deal with "dns problems" but I see that happening
before BCP38 network changes -- it's a far simpler change for most
organizations.
-david
More information about the dns-operations
mailing list