[dns-operations] blocking recursers

Stephane Bortzmeyer bortzmeyer at nic.fr
Thu Mar 23 11:28:28 UTC 2006


On Wed, Mar 22, 2006 at 07:27:28PM -1000,
 Randy Bush <randy at psg.com> wrote 
 a message of 29 lines which said:

> if i had a record of the recursive servers used to reflect an attack
> at my servers, would i be justified in blocking every-day queries
> from them until they tested recursion- free?

I suggest to explain first. Until now, it seems ordinary people (not
OARC members, not ISC employees, not CENTR meetings attendants) had
very few exposure to the Good Practice of shutting down ORNs. (The ISC
recommandation is not yet issued, there was no CERT warning.)

Advice to everyone on the list, including myself: educate, spread the
news, teach, inform DNS administrators. For instance, AFNIC is
*considering* sending a warning to each of its registrars about ORNs
but it has not been done yet. So, it would be harsh if we suddenly
started to blacklist ORNs.





More information about the dns-operations mailing list