On Oct 13, 2010, at 1:28 PM, [email protected] wrote: > Zitat von [email protected]: > >> Ups, sorry. I forgot to disable S/MIME for the list-mail. >> >> But the question remains: >> >> What is "best practice" to limit the resources used and to be a good citizen >> when using unbound as public DNSSEC aware resolver, or is it no recommended >> at all? >> > > Still no answer for this one so i guess it is not recommended at all... >
Best current practices are documented in RFC5358 "Preventing Use of Recursive Nameservers in Reflector Attacks" http://tools.ietf.org/html/rfc5358 Key sentence there is: By default, nameservers SHOULD NOT offer recursive service to external networks. but the document offers suggestions on what to do when you have public facing recursive service. (which boil down to 'know who you talk to') Hope this helps. --Olaf ________________________________________________________ Olaf M. Kolkman NLnet Labs Science Park 140, http://www.nlnetlabs.nl/ 1098 XG Amsterdam _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
