[dns-operations] Best Practices in DNS security

JP Velders jpv at veldersjes.net
Tue Mar 21 19:43:22 UTC 2006

> Date: Sun, 19 Mar 2006 11:19:00 -0500
> From: Geo. <geoincidents at nls.net>
> Subject: Re: [dns-operations] Best Practices in DNS security

> [ ... ]
> The core issue is not recursive servers, it's spoofed udp packets. 
> Why don't we fix the problem instead of treating just one symptom of 
> the problem?

What fine alcoholic or intoxicating substance are you on ?

Botnets a plenty around the world, and implementing BCP38 won't make 
the problem of open-recursers go away or become less manageable.

If spoofing was that much of a problem (when viewed in this smaller 
context!), then I'd really like to know why -being a member of an NREN 
security team- we're not burried in complaints about issues which turn 
out to be spoofing of UDP packets.

Being a good netizen and configuring your network cluefully however 
would indeed entail making sure your customers can't spoof through 
your infrastructure (and some other stuff like uRPF etc.). It's akin 
to not running an open relay, taking measures against smurf amplifiers 
etc. All basic and good practices, being core competence issues, just 
like having good financial information.

Kind regards,
JP Velders

More information about the dns-operations mailing list