In message <[email protected]>, David Miller <[email protected]> wrote:
>A system that requires the victim to take action to stop attacks... You mean like the defacto "system" we have right now? >... might be misconstrued by some to be abdicating the responsibility >of the upper four levels. Ummm... I don't quite know how to break this to you, but... >Agreed. Close all open resolvers as well. I may be alone, but I am not persuaded that that even entirely solves the problem. (And I'm not sure that vigorous community efforts to close all open resolvers aren't perhaps a tad bit misguided, even if still good and beneficial.) If Joe is authoritative for a zone `Z' which happens to have, oh, say, 4000 bytes worth of crap in its ANY responses (counting all the DNSSEC and SPF cruft) and if I spoof an ANY request to Joe for Z with your IP address on it, what's gonna happen to you? Multiply this by millions of Joes and millions of zones which have been fluffed up with either DNSSEC and/or fat SPF TXT records and I don't need there to be a single "open" resolver on the Internet in order to kill you deader than a doornail. Regards, rfg _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
