On Jun 14, 2013, at 1:18 PM, Paul Vixie <[email protected]> wrote: > > > Jared Mauch wrote: >> On Jun 14, 2013, at 11:07 AM, Chip Marshall <[email protected]> >> wrote: >> >> >>> There was some talk at a recent meeting about establishing some >>> best practices for operating a DNS server. I'm curious if anyone >>> is running with this, and if not, if this would be a good forum >>> to start working on such a project. >>> >>> I know there are some IETF documents around best practices for >>> things like DNSSEC, but to the best of my knowledge there's not a >>> good repository for things like RRL, making sure your recursive >>> resolver isn't open, ensuring source port randomization (I know I >>> still see a lot of source 53 queries) and so on. >>> >> >> I know I certainly would be interested in a few things, e.g.: >> >> a) Secure configuration guidelines (RRL you can't make part of that, because >> it requires too much tuning IMHO). >> > rrl's defaults work fine on every authority server i've tried. what's your > experience, with config snippets and test results?
Based on my sampling of data, most people are not running authority servers, they are running recursive resolvers. secret, about to be released to the public graphs (to mitigate me being lazy)... http://openresolverproject.org/graph-rcode.cgi http://openresolverproject.org/breakdown-graph1.cgi - Jared _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
