[dns-operations] blocking recursers

Florian Weimer fw at deneb.enyo.de
Fri Mar 24 22:34:39 UTC 2006

* Stephane Bortzmeyer:

> I suggest to explain first. Until now, it seems ordinary people (not
> OARC members, not ISC employees, not CENTR meetings attendants) had
> very few exposure to the Good Practice of shutting down ORNs. (The ISC
> recommandation is not yet issued, there was no CERT warning.)

To some extent, this was on purpose because once you claim that this
is a relevant issue, attacks begin to soar.  And this is particularly
bad because you can't patch the issue over a couple of months.

> Advice to everyone on the list, including myself: educate, spread the
> news, teach, inform DNS administrators. For instance, AFNIC is
> *considering* sending a warning to each of its registrars about ORNs
> but it has not been done yet. So, it would be harsh if we suddenly
> started to blacklist ORNs.

The focus on open resolvers seems a bit unwarranted.  There are
legtimate responses to QTYPE=ANY which are 2 KiB large.  Perhaps
disabling ENDS0 for QTYPE=ANY and lowering the default ENDS0 buffer
size to something like 1280 bytes (to avoid fragmentation) could
improve things, but I'm not sure if this would be a good trade-off.

Lack of BCP38 conformance is the real problem.  But we can't address
that, and some of the blame rests on those historic ping-poing UDP

More information about the dns-operations mailing list