[dns-operations] Storm on the DNS

Paul Vixie paul at redbarn.org
Mon Dec 21 06:47:12 UTC 2015


On Monday, December 21, 2015 02:23:11 PM Davey wrote:
> ...
> The resolvers of ISPs and enterprises have fixed groups of users belongs to
> the same administration , in which there is little reason not implementing
> RFC5358.

yes.

> For open resolver like Google, OpenDNS, DYN, 114DNS which is based
> on global/national anycast, the query is most likely responded by the
> nearest anycast node which definitely knows the IP range of their frequent
> users. So RFC5358 is also applicable for such kind of open resolver.

no. global BGP routing changes can cause valid source addresses to appear in unlikely places 
for unpredictable reasons. however, your conclusion is correct for a different reason: 
opendns, googledns, and other global anycast providers have adequate monitoring and both 
automated and human rate limiting to prevent participation in anycasted reflected and 
possibly amplified spoofed-source ddos attacks. experience to date has shown that there is 
no material risk from these anycasted providers, because they invest heavily in their own 
defense.

> So my intuitive question is when DNS people ask network operator strongly to
> adopt BCP38 to encounter source address spoofing, should they consider
> BCP140 in the first place?

BCP 140 (RFC 5358) applies to all RDNS operators.

BCP 38 (RFC 2827) applies to all internet service or access providers.

for those who operate both RDNS and internet access/service networks, both BCP's 38 and 
140 apply.

-- 
P Vixie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20151220/bfcd8aa5/attachment.html>


More information about the dns-operations mailing list