Re: [dns-wg] NCC reverse delegation criteria

2019-06-12 Thread Måns Nilsson
Subject: Re: [dns-wg] NCC reverse delegation criteria Date: Wed, Jun 12, 2019 at 11:06:33PM +0300 Quoting Nick Hilliard (n...@foobar.org): > Måns Nilsson wrote on 12/06/2019 22:42: > > I suggest that we perform the absolute minimum of policy footwork to > > endorse this procedure as is. Because I

Re: [dns-wg] NCC reverse delegation criteria

2019-06-12 Thread Nick Hilliard
Måns Nilsson wrote on 12/06/2019 22:42: I suggest that we perform the absolute minimum of policy footwork to endorse this procedure as is. Because I feel we have a strong if not absolute consensus for carrying on as usual from those who spoke up here. we don't really need this because it's not

Re: [dns-wg] NCC reverse delegation criteria

2019-06-12 Thread Antonio Prado via dns-wg
On 6/11/19 11:10 PM, Jonas Frey wrote: > This whole BCP (whatever that includes in detail) is nowhere > documented.  hi, to be honest there is a meaningful BCP about the topic: RFC 5358, BCP 140, Preventing Use of Recursive Nameservers in Reflector Attacks. under "Recommended configuration" para

Re: [dns-wg] NCC reverse delegation criteria

2019-06-12 Thread Måns Nilsson
Subject: Re: [dns-wg] NCC reverse delegation criteria Date: Tue, Jun 11, 2019 at 11:10:01PM +0200 Quoting Jonas Frey (j...@probe-networks.de): > Ian, > > > > I'd argue that it is not controversial at all. > > We have good BCP and the RIPE NCC delegation checks it. > > By all means wait for the R

Re: [dns-wg] combining authoritative and recursive DNS service

2019-06-12 Thread Tony Finch
If you allow remote servers to query your recursive servers (even if you only allow RD=0 access to your authoritative zones), then it's very easy for miscreants to deny service to your users. My resolvers reject TCP connections from outside our network to avoid this issue, amongst other techniques.

Re: [dns-wg] NCC reverse delegation criteria

2019-06-12 Thread Nick Hilliard
Gert Doering wrote on 11/06/2019 21:50: On Tue, Jun 11, 2019 at 08:40:05PM +0200, Jonas Frey wrote: The time window might be small, but serving wrong answers was not acceptable for us. ok, but in the automated world of today this small window is likely to be _really_ small. Only if everythin

[dns-wg] combining authoritative and recursive DNS service

2019-06-12 Thread Jim Reid
> On 11 Jun 2019, at 19:40, Jonas Frey wrote: > > I do see 3 major benefits to combine/unify these: > - "saving" IP addresses (depending of how many you run of course[1]) > - less effort managing (not having multiple places for configuration > thus unifiying [automated] setup) > - saving ressou

[dns-wg] RIPE NCC's reverse DNS delegation process and stats

2019-06-12 Thread Anand Buddhdev
Dear colleagues, As requested, here is some information about the reverse DNS delegation process applied by the RIPE NCC. We perform pre-delegation checks with a local instance of Zonemaster, which is DNS delegation testing software that was developed by AFNIC and IIS. The software performs the f