> Matthew Pounsett <m...@conundrum.com>: > > The paper also appears to make the assumption that eliminating > > existing resolvers is a thing we can do. Open recursive resolvers > > won=92t go away simply because we, as an industry, decide to stop > > setting up new ones. There=92s no way to prevent them from sending > > queries (or to selectively block them), and they are almost by > > definition unmanaged, so we cannot expect they will be taken offline > > by their respective administrators.=20 > > Sure. I agree with this. But, if we make clients default to not using > resolvers then the harm resolvers can do is reduced. I.e., so what if I > can cache poison a CPE if none of the clients behind it utilize the CPE > for lookups?
Then we merely move on to the issue of cache poisoning individual clients. Assuming that the CPE is a NAT (effectively firewalling clients from poisoning attacks) and/or that the individual clients have well- designed, impervious resolvers is likely to be a fail. Remember that IPv6 is coming... We already have a lot of abandonware Internet-connected devices out there, random devices running some variant of BusyBox or whatever that need to be able to do hostname lookups. So, great, we do what, we put BIND 9 on them? And then never patch them once the product warranty has expired? That's going to end well. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
