[dns-operations] Best Practices

Jared Mauch jared at puck.nether.net
Fri Jun 14 17:22:14 UTC 2013

On Jun 14, 2013, at 1:18 PM, Paul Vixie <paul at redbarn.org> wrote:

> Jared Mauch wrote:
>> On Jun 14, 2013, at 11:07 AM, Chip Marshall <chip at 2bithacker.net>
>>  wrote:
>>> There was some talk at a recent meeting about establishing some
>>> best practices for operating a DNS server. I'm curious if anyone
>>> is running with this, and if not, if this would be a good forum
>>> to start working on such a project.
>>> I know there are some IETF documents around best practices for
>>> things like DNSSEC, but to the best of my knowledge there's not a
>>> good repository for things like RRL, making sure your recursive
>>> resolver isn't open, ensuring source port randomization (I know I
>>> still see a lot of source 53 queries) and so on.
>> I know I certainly would be interested in a few things, e.g.:
>> a) Secure configuration guidelines (RRL you can't make part of that, because it requires too much tuning IMHO).
> rrl's defaults work fine on every authority server i've tried. what's your experience, with config snippets and test results?

Based on my sampling of data, most people are not running authority servers, they are running recursive resolvers.

secret, about to be released to the public graphs (to mitigate me being lazy)...



- Jared

More information about the dns-operations mailing list