<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div></div><div>Hi Davey,</div><div><br>On 21 Dec 2015, at 07:23, Davey(宋林健) <<a href="mailto:ljsong@biigroup.cn">ljsong@biigroup.cn</a>> wrote:<br><br></div><blockquote type="cite"><meta http-equiv="Content-Type" content="text/html charset=gb2312">Thank you for the pointer to RFC5358 which is exactly what I would like to suggest. <div class="">It does aim for open resolver to adopt the recommended configuration.<div class=""><div style="widows: 1;" class=""><font color="#333333" class=""><span style="white-space: pre; background-color: rgba(255, 255, 255, 0.498039);" class=""><br class=""></span></font></div><div style="widows: 1;" class=""><font color="#333333" class=""><span style="background-color: rgba(255, 255, 255, 0.498039);" class=""><span style="white-space: pre;" class="">The resolvers of ISPs and enterprises have fixed groups of users belongs to the same </span></span></font></div><div style="widows: 1;" class=""><font color="#333333" class=""><span style="background-color: rgba(255, 255, 255, 0.498039);" class=""><span style="white-space: pre;" class="">administration , in which there is little reason not implementing RFC5358. </span></span></font><font color="#333333" class=""><span style="background-color: rgba(255, 255, 255, 0.498039);" class=""><span style="white-space: pre;" class="">For open </span></span></font></div><div style="widows: 1;" class=""><span style="white-space: pre; background-color: rgba(255, 255, 255, 0.498039); color: rgb(51, 51, 51);" class="">resolver like Google, OpenDNS, DYN, 114DNS which is based on global/national anycast, </span></div><div style="widows: 1;" class=""><font color="#333333" class=""><span style="background-color: rgba(255, 255, 255, 0.498039);" class=""><span style="white-space: pre;" class="">the query is most likely </span></span><span style="white-space: pre;" class="">responded by the nearest anycast node which definitely knows the </span></font></div><div style="widows: 1;" class=""><font color="#333333" class=""><span style="white-space: pre;" class="">IP range of their frequent users. So RFC5358 is also applicable for such kind of open resolver.</span></font></div><div style="widows: 1;" class=""><font color="#333333" class=""><span style="white-space: pre;" class=""><br class=""></span></font></div><div style="widows: 1;" class=""><font color="#333333" class=""><span style="white-space: pre;" class="">So my intuitive question is when DNS people ask network operator </span></font><span style="color: rgb(51, 51, 51); white-space: pre;" class="">strongly </span><font color="#333333" class=""><span style="white-space: pre;" class="">to adopt BCP38 </span></font></div><div style="widows: 1;" class=""><font color="#333333" class=""><span style="white-space: pre;" class="">to encounter source address spoofing, </span></font><span style="white-space: pre; color: rgb(51, 51, 51);" class="">should they consider BCP140 in the first place? </span></div></div></div></blockquote><br><div>Well, "commercial" open resolvers (the likes of Google, OpenDNS, Dyn, ...) do implement protection mechanisms to avoid being used for amplification attacks. </div><div><br></div><div>And as Paul pointed out, if you implement RFC5358, then all of a sudden, they are no longer open resolvers. </div><div>And I suspect that most of the "bad" open resolvers (i.e. *not* Google, Dyn, ...) are ran (if we can use this verb) by people neglecting any configuration change or upgrade. </div><div>So that's a little bit pointless to force something, as they would not implement it anyway. </div><div><br></div><div>Cheers,</div><div><br></div><div>-- </div><div>Nico</div></body></html>