I have reviewed the document and generally support it advancement.
The only nit I have is with the recommendation section is that the
recommended default configuration to be recursion-off is easy to miss
I would like to see text to the effect of:
by default nameservers SHOULD not offer recursive service to external
networks.
Olafur
At 12:34 26/10/2006, Peter Koch wrote:
Dear WG,
this message initiates a working group last call for
"Preventing Use of Recursive Nameservers in Reflector Attacks"
draft-ietf-dnsop-reflectors-are-evil-02.txt
to be published as a BCP. The WGLC will end Sat, 2006-11-11 23:59 UTC.
Please review and comment on this draft on this mailing list. The chairs
will not forward the document to the AD unless at least five reviewers
have indicated their support (for both the draft and the intended status).
Vendors' indication to follow (or not) the recommendation would be
appreciated.
Please also include editorial comments; there will be a -03 anyway since
the current draft does not yet have an IANA considerations section.
Given the title, the history and the purpose of this draft (remember the
attacks launched at the beginning of this year?), vulnerability of other
systems or server types to (becoming an accomplice in) reflection or
amplification attacks and their specific counter measures is out of scope
for this particular document.
-Peter
.
dnsop resources:_____________________________________________________
web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html
mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
.
dnsop resources:_____________________________________________________
web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html
mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
