[dns-operations] question for DNS being attacked

Paul Vixie paul at redbarn.org
Thu Jun 28 19:35:35 UTC 2012


On 6/28/2012 7:10 PM, Michael Graff wrote:
> On Jun 28, 2012, at 1:55 PM, Paul Vixie wrote:
>> we are now in the post-apocalyptic road-warrior phase of non-DNSSEC's history. it's difficult for me to imagine anyone choosing to remain an attack amplifier when they could instead sign their zones. but you're entirely right about the tradeoff transparency; vernon and i do not intend to slip this decision into an operator's life without their knowledge and consent.
> "BCP 38"  Enough said.

what does that mean? BCP 38 is what the remote networks should do. we've
been pushing it into industry for 15 years. if more remote networks
would do it then spoofed-source amplified reflecting attacks would be a
smaller problem.

but it's not something a DNS operator can do on their own network.

and there is no scalable practical way that victims can find out which
network's lack of BCP 38 enforcement is hurting them, so they don't even
know who to ask "please install BCP 38". and may of those networks'
operators, if they could be found, would say, "it's hurting you not me,
i'm not going to make the investment."

so, no, "enough" has not been "said". please make a specific proposal
that is actionable by the operators of name servers who are being used
as amplifying DDoS reflectors. that is the topic here. that's what DNS
RRL is.

paul





More information about the dns-operations mailing list