[dns-operations] security with a firewall

Paul Vixie paul at redbarn.org
Wed May 15 17:18:24 UTC 2013


Lawrence K. Chen, P.Eng. wrote:
> I've been told that we can't implement BCP38 because its actually an egress filtering....its only ingress from the perspective of the ISP and its downstream customers....to DNS operators, that the ISPs need to implement.  Since it is to prevent source address that aren't in the netblock of its downstream customer from being forwarded into the Internet.
> But outside our border is the whole Internet....so as long as the source address is valid and not us...how would we tell that its being spoofed?

See also <http://archive.icann.org/en/committees/security/sac004.txt>
which has a different taxonomy but the same goal as BCP38, and which is
directly responsive to your observations above.


More information about the dns-operations mailing list