> > i'd also like to see the following new paragraph added to section 10:
> >
> > All of the spoofing attacks described in this document are due to the
> > nearly universal lack of IP source address validation (see [BCP38] and
> > [SAC004] for more information). If the source address of a UDP
> > datagram were trustworthy, then there would be no need for forgery
> > resilience in DNS initiators.

>
> Strongly -1 here. See the Last Call comments and the IESG DISCUSS for
> draft-ietf-dnsop-reflectors-are-evil, which had the exact same issue
> (overreliance on BCP38).


does ed lewis' observation (that on LANs, BCP38 doesn't help you) and my
agreement (that the language should be modified to that effect) help at all?

i'm concerned that a reader of this document know the real source of the
terror, which isn't in DNS's design alone, but rather, the whole IP stack.


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: