IETF Logo Mail Archive

Re: how many angels can dance on the head of a pin?

Paul Vixie <vixie@isc.org> Sun, 10 August 2008 15:46 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6D3603A6DBB; Sun, 10 Aug 2008 08:46:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.399
X-Spam-Level:
X-Spam-Status: No, score=-2.399 tagged_above=-999 required=5 tests=[AWL=0.200, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z4vFxC9h8Ex9; Sun, 10 Aug 2008 08:46:57 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 44A2E3A6B36; Sun, 10 Aug 2008 08:46:57 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KSD3J-00018g-K1 for namedroppers-data@psg.com; Sun, 10 Aug 2008 15:41:53 +0000
Received: from [2001:4f8:3:bb:230:48ff:fe5a:2f38] (helo=nsa.vix.com) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <vixie@vix.com>) id 1KSD3G-00018G-1n for namedroppers@ops.ietf.org; Sun, 10 Aug 2008 15:41:51 +0000
Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id 1CC1EA200B; Sun, 10 Aug 2008 15:41:40 +0000 (UTC) (envelope-from vixie@nsa.vix.com)
From: Paul Vixie <vixie@isc.org>
To: sthaug@nethelp.no
cc: duane@e164.org, alex@alex.org.uk, bmanning@vacation.karoshi.com, namedroppers@ops.ietf.org
In-Reply-To: Your message of "Sun, 10 Aug 2008 13:07:23 +0200." <20080810.130723.71154003.sthaug@nethelp.no>
References: <489E89B6.6090208@e164.org> <01B9CF1DF0A4A4443A6E73A4@nimrod.local> <489EAFCD.2090204@e164.org> <20080810.130723.71154003.sthaug@nethelp.no>
X-Mailer: MH-E 8.0.3; nil; GNU Emacs 22.2.1
Date: Sun, 10 Aug 2008 15:41:40 +0000
Message-ID: <40886.1218382900@nsa.vix.com>
MIME-Version: 1.0
X-Vix-MailScanner-Information: Please contact the ISP for more information
X-MailScanner-ID: 1CC1EA200B.AFF16
X-Vix-MailScanner: Found to be clean
X-Vix-MailScanner-From: vixie@vix.com
Subject: Re: how many angels can dance on the head of a pin?
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

> From: sthaug@nethelp.no
> 
> At least for the ISP *I* work for, our publicly accessible caches are
> accessible for direct recursive queries only from IP addresses within
> our own AS, not from the Internet at large.

may i ask that you write an FYI RFC for dnsop explaining this policy with
special emphasis on (1) how you did it, (2) how easy it was to do it, and
(3) how beneficial it's been that you did it.  many of your coopetitors
across the industry are not yet following in these excellent footsteps.

(and it won't make you safe from spoofing if you have a dialup or enduser
population who can be infested with bots, or if you have SMTP servers who
can be triggered to make DNS requests for an attacker with very fine
timing, but this kind of network hygiene certainly limits the scope of
the problem.)

(if you also enforce BCP38 against your customers, you might mention this
in passing in your FYI RFC, again explaining how easy it was and how much
cost and/or benefit you get from it.)

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email