From owner-freebsd-current@FreeBSD.ORG Thu Jun 8 22:22:50 2006 Return-Path: X-Original-To: current@freebsd.org Delivered-To: freebsd-current@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 688F616A827 for ; Thu, 8 Jun 2006 22:22:50 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx22.fluidhosting.com [204.14.89.5]) by mx1.FreeBSD.org (Postfix) with SMTP id A70A143D4C for ; Thu, 8 Jun 2006 22:22:49 +0000 (GMT) (envelope-from dougb@FreeBSD.org) Received: (qmail 22347 invoked by uid 399); 8 Jun 2006 21:22:47 -0000 Received: from localhost (HELO ?192.168.0.3?) (dougb@dougbarton.us@127.0.0.1) by localhost with SMTP; 8 Jun 2006 21:22:47 -0000 Message-ID: <44889524.3030600@FreeBSD.org> Date: Thu, 08 Jun 2006 14:22:44 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 1.5.0.4 (X11/20060604) MIME-Version: 1.0 To: Chuck Swiger References: <20060608015022.Y52876@mp2.macomnet.net> <448799B6.8080709@mac.com> In-Reply-To: <448799B6.8080709@mac.com> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: current@freebsd.org Subject: Re: named recursive queries X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jun 2006 22:22:50 -0000 Chuck Swiger wrote: > It seems clear that people who want to run a recursive nameserver will > be able to change this if your proposed change is made. However, which > problem that you are trying to solve with it? Well, having a wide open anything on the network is pretty much a bad idea nowadays. While the current press surrounding the open resolver DDoS problem is drawing attention to this particular part of the issue, it's bad for us to start what is supposed to be a local resolver in wide open mode in any case. (Which, as I pointed out already, is not what we are doing.) > Yes, people can send queries with a spoofed sender to perform a DoS, and > yes, permitting recursive queries lets the attacker choose a large > response from any zone rather than having to tailor the attack to each > nameserver. Yes, that is one variant of the attack that we're trying to mitigate. > The right solution to that problem is egress filtering of spoofed > traffic at the ISP-level. Yes, but long years of history (not to mention the obvious economic incentive) have shown that this will not happen. Therefore we need to attack this problem directly, using available mechanisms. Doug -- This .signature sanitized for your protection