[dns-operations] DNS whitelisting

David Ulevitch davidu at everydns.net
Wed Mar 8 22:44:24 UTC 2006

On Mar 8, 2006, at 2:12 PM, Paul Vixie wrote:

> # > What you see and what you think you see are not always the same  
> thing. :)
> # > Not everything has to be an honey pot, either.
> #
> # Yep -- another good argument against blocking.  To quote Paul,  
> people often
> # do "stupid dns tricks."  They shouldn't be punished for it.
> they wouldn't be getting punished for doing stupid dns tricks.   
> they'd be
> caught in the crossfire between non-BCP38 launchpoints and ultimate  
> victims.

How far up the prefix chain would you block?  By announcement? By /32  
of the resolver?

If Speakeasy isn't BCP38 compliant and they have 1000's of small  
businesses many of whom may be running open resolvers behind them,  
are they just considered "motivation to become BCP38 compliant?"

I do think that in the short term there will be a net effect of port  
53 firewalling to deal with "dns problems" but I see that happening  
before BCP38 network changes -- it's a far simpler change for most  


More information about the dns-operations mailing list