[dns-operations] BCP38 (was Re: EDNS0 )

Andrew Sullivan andrew at ca.afilias.info
Thu Mar 2 12:40:16 UTC 2006

On Thu, Mar 02, 2006 at 05:07:25AM +0000, Paul Vixie wrote:

> apparently the thought of this kind of filtering is disturbing enough to
> overcome the natural desire to laugh maniacally whenever BCP38 is mentioned.

For me, the reason that BCP38 is the preferred stick to reach for is
that filtering open recursive servers will only solve the problem
temporarily, for one service.  First, an attack of this nature
(although it appears not of this magnitude, so far) is still
available for other UDP services.  Plus, this attack actually turns
into a reason _not_ to adopt DNSSEC exactly when we're trying to
convince people that they need it, since widespread adoption of
DNSSEC would make this attack available again without the recursive
servers (as Mark Andrews has argued).  And it's a powerful
disincentive to "first movers" in DNSSEC, who make themselves targets
of such an attack while others don't have the same problem.

So if we're going to try to fix this, let's fix it the right way. 
(Yeah, I know.  We heard that before, and BCP38 adoption is where it
is now.)


Andrew Sullivan                         204-4141 Yonge Street
Afilias Canada                        Toronto, Ontario Canada
<andrew at ca.afilias.info>                              M2P 2A8
                                        +1 416 646 3304 x4110

More information about the dns-operations mailing list