Subject: Re: [DNSOP] I-D Action:draft-ietf-dnsop-reflectors-are-evil-06.txt
Date: Thu, Sep 11, 2008 at 03:39:09PM -0400 Quoting Ron Bonica ([EMAIL
PROTECTED]):
> Folks,
>
> This is a reminder that only two questions are on the table. These are:
>
> - is BCP38 enough to mitigate the attack vecto
In message <[EMAIL PROTECTED]>, Scott Rose writes:
> I know this sounds pedantic, but I noticed in the list of actions in
> the name server management list "add, modify and delete" trust anchors
> and other configuration details. Do we need to add "view" to that
> list of actions? This wou
On Thu, 11 Sep 2008, [UTF-8] OndÅej Surý wrote:
> No. And I don't understand why the burden of open resolvers should
> be put on shoulders of attacked DNS operators.
DNS operators aren't generally being attacked, and aren't generally
complaining of the burden. Almost no one is complaining of
On Thu, 11 Sep 2008, Kurt Erik Lindqvist wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
>
> (CC trimmed)
>
> Having worked for a tier-1 provider and started two ISPs in the past,
> I am certain that BCP38 won't be universally deployed as that is
> operationally very hard and cos
On Thu, Sep 11, 2008 at 03:34:36PM -0400, Dean Anderson wrote:
> Please tell about the experiences you personally had with open recursor
> attacks at Afilias.
I guess I wasn't clear enough in my message: I am not in a position to
tell you about that. I am constrained by the non-disclosure terms o
Folks,
This is a reminder that only two questions are on the table. These are:
- is BCP38 enough to mitigate the attack vectors described in
draft-ietf-dnsop-reflectors-are-evil-06
- is filtering after the attack has begun good enough
Discussions of how many times this attack has been observed i
Please tell about the experiences you personally had with open recursor
attacks at Afilias.
Afilias doesn't seem to run open recursors--is that correct? Was
Afilias a target of an attack? If so, what did Afilias do to mitigate
the attack? Why couldn't the attack be mitigated using ordinary
metho
On Thu, 11 Sep 2008, Olaf Kolkman wrote:
> I do not have first hand experience from being under attack but I have
> seen enough arguments that reflector attacks are not only
> hypothetically possible but they also happen in real life. Not only
> from private conversations but also from, for
I know this sounds pedantic, but I noticed in the list of actions in
the name server management list "add, modify and delete" trust anchors
and other configuration details. Do we need to add "view" to that
list of actions? This would apply to Section 3.2.2 - 3.2.5
I can envision a role tha
2008/9/10 Ron Bonica <[EMAIL PROTECTED]>:
>
>>
>>> First layer of defense: BCP 38
>>>
>>> Second layer of defense (because there are those who cannot or will not
>>> implement the first layer): Restrict recursive service by default
>>
>> If you mean 'restrict software configuration defaults', I'm O
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
(CC trimmed)
Having worked for a tier-1 provider and started two ISPs in the past,
I am certain that BCP38 won't be universally deployed as that is
operationally very hard and costly in larger networks. This
effectively means that there will st
Dear Dean,
[Removing Jorge from the CC-list, this reply is supposed to be
technical in nature. Also removing the IESG since this appears to be a
WG issue, they can go back to the archives if and when relevant]
The answer to both the questions is "yes". There is still no evidence
for "n
On Wed, Sep 10, 2008 at 03:17:51PM -0400,
Ron Bonica <[EMAIL PROTECTED]> wrote
a message of 39 lines which said:
> Based on the response that we have seen from the WG so far, I don't
> see any reason to amend the draft. BCP 38 is already published.
It is certain that any message by is not suf
13 matches
Mail list logo
