> >> First layer of defense: BCP 38 >> >> Second layer of defense (because there are those who cannot or will not >> implement the first layer): Restrict recursive service by default > > If you mean 'restrict software configuration defaults', I'm OK with > that. > > If the draft is amended to only recommend that vendors should alter > their _default_ software configuration, then I will not object to the > draft. > >> Third layer of defense (because there are those who cannot or will not >> implement the first or second layers): Reactively filter abusive >> recursors (as Dean suggested). > >
Folks, Based on the response that we have seen from the WG so far, I don't see any reason to amend the draft. BCP 38 is already published. The questions before the WG are: - is BCP38 enough to mitigate the attack vectors described in draft-ietf-dnsop-reflectors-are-evil-06 - is filtering after the attack has begun good enough If the answer to both of these questions is "no", the document can go forward as is. Ron _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop