[161875] in North American Network Operators' Group
Re: Open Resolver Problems
daemon@ATHENA.MIT.EDU (Jack Bates)
Wed Mar 27 18:04:05 2013
Date: Wed, 27 Mar 2013 16:59:16 -0500
From: Jack Bates <jbates@brightok.net>
To: Tony Finch <dot@dotat.at>
In-Reply-To: <alpine.LSU.2.00.1303272142440.2785@hermes-1.csi.cam.ac.uk>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 3/27/2013 4:49 PM, Tony Finch wrote:
> Jack Bates <jbates@brightok.net> wrote:
>
>> 3) BCP38 (in spirit)
> That should be deployed as well as RRL.
>
> Tony.
If BCP38 was properly deployed, what would be the purpose of RRL outside
of misbehaving clients or direct attacks against that one server?
We already know the fix for spoofing. Trying to tweak every service that
spoofing effectively takes advantage of will not be a winning game.
Sending legitimate clients to TCP is also a losing game. DNS is UDP for
a reason. The infrastructure to switch it to TCP is prohibitive and
completely destroys the anycast mechanisms.
Jack
