[dns-operations] DNS deluge for x.p.ctrc.cc

Paul Vixie paul at vix.com
Thu Mar 2 20:04:59 UTC 2006

# > ... so there's no reason why we should wait before we demand safe
# > networking from all recursive # servers.
# <chuckle> So if someone suggested to you that you switch to a different DNS
# server, would you do it?

if the alternative was getting shunned by a bunch of the root and tld servers,
i'd have to examine those alternatives very carefully.

# Most ISP's have been around for 10 years or more now, their systems are
# integrated.  Change isn't as easy as you suggest.  And with a function as
# critical as dns it'll generate even more resistance.

"it's just deja vu all over again."  (wrt things folks said about closing
their open smtp relays about 10 years ago when i started telling them they
had to.)

# Honestly, this will take 10 years to secure and in the process we will lose
# important trouble shooting capabilities (using someone elses name server to
# confirm that a site is where it's supposed to be).  It's a bad solution to
# try and IP block dns. There has got to be a better way.

:-).  there is a better way, it's called universal BCP38.  the problem with
that as a solution is that the folks who have to deploy BCP38 are not the ones
being victimized by this attack (i.e., neither the amplifiers nor the targets).

we don't get to decide, none of us, whether others will deploy BCP38.  we do
get to decide whether we'll accept packets from known packet-amplifiers.  that
is an ugly state of affairs and i don't like it any more than you do.

More information about the dns-operations mailing list