[dns-operations] blocking recursers

Randy Bush randy at psg.com
Thu Mar 23 16:48:48 UTC 2006

>> if i had a record of the recursive servers used to reflect an attack
>> at my servers, would i be justified in blocking every-day queries
>> from them until they tested recursion- free?
> I suggest to explain first. Until now, it seems ordinary people (not
> OARC members, not ISC employees, not CENTR meetings attendants) had
> very few exposure to the Good Practice of shutting down ORNs.

one aspect is a lack of supporting documentation in the rfcs.  in
fact, the reverse is the case, open recursion is acceptable in the
standards.  so what is my ethical/legal exposure if i deny service
to someone who seems to not be violating the standards?

> Advice to everyone on the list, including myself: educate, spread
> the news, teach, inform DNS administrators.

seems to me we also need to get the standards changed/augmented.


More information about the dns-operations mailing list