[dns-operations] Best Practices in DNS security
heldal at eml.cc
Sun Mar 19 19:52:10 UTC 2006
On Sun, 19 Mar 2006 11:49:15 -0500, "Geo." <geoincidents at nls.net> said:
> You are absolutely right, instead of saying switch dns server software we
> should be saying switch to a router that by default implements BCP38.
That's not what I said. Hope you don't believe that implementing BCP38
on your own is going to solve anything ;)
What I want is an ops-community that fight bad practises in general.
0-tolerance is key. 3 examples:
1. If there is consesus in the community that public recursive DNS is
bad then service-providers *should* actively scan their own and their
customers adress-blocks for such and block them.
2. Just the same with open SNTP relays.
3. Enforcing BCP38 compliance is worse. Boycotting vendors who don't
implement rpf by default (at least on edge-devices) could be a start.
Maybe cooperation with some OS-vendor to include some form of probe with
their software could provide data to support action against networks
that allow spoofing, but there's no reliable method available yet.
Zero-tolerance-policies implemented by the 10 or 20 biggest backbones
will render non-compliant solutions useless, and non-compliant products
will get fixed in no time.
More information about the dns-operations