[dns-operations] blocking recursers
fw at deneb.enyo.de
Fri Mar 24 22:34:39 UTC 2006
* Stephane Bortzmeyer:
> I suggest to explain first. Until now, it seems ordinary people (not
> OARC members, not ISC employees, not CENTR meetings attendants) had
> very few exposure to the Good Practice of shutting down ORNs. (The ISC
> recommandation is not yet issued, there was no CERT warning.)
To some extent, this was on purpose because once you claim that this
is a relevant issue, attacks begin to soar. And this is particularly
bad because you can't patch the issue over a couple of months.
> Advice to everyone on the list, including myself: educate, spread the
> news, teach, inform DNS administrators. For instance, AFNIC is
> *considering* sending a warning to each of its registrars about ORNs
> but it has not been done yet. So, it would be harsh if we suddenly
> started to blacklist ORNs.
The focus on open resolvers seems a bit unwarranted. There are
legtimate responses to QTYPE=ANY which are 2 KiB large. Perhaps
disabling ENDS0 for QTYPE=ANY and lowering the default ENDS0 buffer
size to something like 1280 bytes (to avoid fragmentation) could
improve things, but I'm not sure if this would be a good trade-off.
Lack of BCP38 conformance is the real problem. But we can't address
that, and some of the blame rests on those historic ping-poing UDP
More information about the dns-operations