For me, the use case is "research". Of course I won't ask for ubiquitous dns service only for my research. I just notice there are people who are reluctant to close resolvers and this will leave more guns for attackers, so I think maybe there are middle points that some of them could stand, having less harmful open resolvers.
If there are no use cases other than research, I agree to close them all. I also agree that openness should not be the default setting. On Sun, Mar 31, 2013 at 11:58 AM, Paul Vixie <[email protected]> wrote: > > > Xun Fan wrote: > > I want to emphasize here that my proposal is to use TCP only for > > off-net users, for all users inside the same network as OR, they just > > keep using UDP. > > i've been following this thread. i have not yet seen a motive for > offering ubiquitous wide area dns services, whether by udp or tcp. can > you explain what positive outcome you predict for the 20+ million open > resolvers that jared's scan found last weekend, if instead of simply > closing them down and avoiding the creation of any new ones, we do as > you suggest and upgrade them to return TC=1 under UDP and to respond > normally to TCP? > > what in other words is your proposed use case for 20+ million open > resolvers? if it's "to support research" then i'll agree with vernon who > said that the benefit of research does not outshine the cost of > maintaining such a ubiquitous service. (for example, since a TC=1 packet > is still a packet even though smaller, it's a good reflection tool for > attacks, even if non-amplifying. to make it safe at scale you'd have to > implement something like RRL to also cut the number of responses. this > is new state and new logic, whose cost has to be taken into account.) > > > > > As I said before, if there are millions off-net user, then the > > administrator of the OR will make the judgement, probably won't close > > their OR. > > this sounds like a response to something that has not been proposed. > noone is saying you can't run an OR if you want to, only that (a) if you > run it you should monitor it as closely as google and opendns monitor > theirs; and (b) openness should not be the default setting such that > it's on even for users who do not explicitly want it to be on. > > paul >
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
