[dns-operations] Storm on the DNS

"Davey(宋林健)" ljsong at biigroup.cn
Mon Dec 21 06:23:11 UTC 2015


Thank you for the pointer to RFC5358 which is exactly what I would like to suggest.  
It does aim for open resolver to adopt the recommended configuration.

The resolvers of ISPs and enterprises have fixed groups of users belongs to the same 
administration , in which there is little reason not implementing RFC5358. For open 
resolver like Google, OpenDNS, DYN, 114DNS which is based on global/national anycast, 
the query is most likely responded by the nearest anycast node which definitely knows the 
IP range of their frequent users. So RFC5358 is also applicable for such kind of open resolver.

So my intuitive question is when DNS people ask network operator strongly to adopt BCP38 
to encounter source address spoofing, should they consider BCP140 in the first place? 

Davey

> 在 2015年12月21日,13:17,Paul Vixie <paul at redbarn.org> 写道:
> 
> Song Linjian (Davey) songlinjian at gmail.com <http://gmail.com/> (Mon Dec 21 02:00:38 UTC 2015):
>  
> > How about source validation on open resolvers themselves?
> > which means all open resolvers only serve it’s local users.
>  
> in that case they would not be "open" resolvers. see RFC 5358.
>  
> -- 
> P Vixie
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net <mailto:dns-operations at lists.dns-oarc.net>
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations <https://lists.dns-oarc.net/mailman/listinfo/dns-operations>
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs <https://lists.dns-oarc.net/mailman/listinfo/dns-jobs>
---------------------------
Davey Song(宋林健)
BII Lab
ljsong at biigroup.cn



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20151221/23223741/attachment.html>


More information about the dns-operations mailing list