John, Looks pretty good, although I have a couple of comments.
First, does it make sense to discuss blocking of network prefixes rather than IP addresses? This is mentioned a couple of times in the text, but blocking an IPv6 address is like throwing a pebble in the ocean. :P (I did a quick Google search to find if there are any RFC's about this in general, but didn't notice any. Does anybody know of any standard text about this issue?) Second, one possible issue for consideration is that it is already a problem for resolver operators that a single query can cause a *lot* of work for the resolver. This issue can be magnified with TCP pipelining: a bad actor can connect to a resolver and queue a ton of queries in a few packets (consider how many queries will fit in 1460 bytes). Cheers, -- Shane _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
