> Ralf Weber <mailto:[email protected]> > Friday, March 06, 2015 10:24 AM > Moin! > I do support this.
me too. > But it will not stop reflection attacks. very strong +1. such language must not be present in any form. > Also why have > you limited the this to authoritative servers? this raises the point: ANY deserves its own access control list, or other non-BIND equivilent. because ANY is useful for diagnostics, local sysadmins ought to be able to make such queries. > > Also if you are thinking about minimising vectors for amplification > attacks > and complexity in the software implementation getting rid of RRSIG queries > might be also a good thing to consider. this way lies madness. you can't know that a validator has no reasonable intent behind an RRSIG query. again, the "protects against amplification/reflection" meme must be nipped in the bud here. -- Paul Vixie
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
