This is a discussion on Limiting recursion...was Re: the RD bit is troubling me today - DNS ; At 8:06 +0000 2/8/06, Paul Vixie wrote: >There's another, more extreme problem with dual-purpose servers, and that's >security. Recursive nameservers which are open to the internet are, because >of the widespread ridicule heaped upon RFC2827/BCP38 and SAC004, "dangerous". >(I am ...
At 8:06 +0000 2/8/06, Paul Vixie wrote:
>There's another, more extreme problem with dual-purpose servers, and that's
>security. Recursive nameservers which are open to the internet are, because
>of the widespread ridicule heaped upon RFC2827/BCP38 and SAC004, "dangerous".
>(I am aware of a multi-gigabit attack occuring against a neighbor, even as I
>type this, involving a few thousand open-to-recursion nameservers, 4K TXT RRs,
>a low-intensity spoofed source query stream from a botnet, and EDNS0.) Since
>it's operationally difficult to use different ACLs for recursion vs authority,
>most people just don't do it. So most dual-purpose nameservers are fully open
>and thus "dangerous". So if we do manage to nail down a practical
>interpretation of dual-purpose, I'll want the resulting clarification document
>to sing most expansively the damnation against open recursive servers, and if
>I am an author of such a document, it will advise "just don't do it" as the
>safest course of action.
When you say "security" you mean potential for abuse on the public
Internet, not security as in the safety of what you learn, right?
Just because "most dual-purpose nameservers are fully open" doesn't
mean that dual-purpose shouldn't be clarified if the specs are
unclear. What needs to be made more clear is that open recursers are
a problem - regardless if whether they are also dual-pupose.
Perhaps default settings of nameserver implementations ought to limit
recursion to the loopback address, forcing a conscious decision on
the deployer of the server to know what they are driving on the
For me, my most common use of dual-purpose has been with BIND views,
defining one view that has no recursion and answers to the outside
world and another view that has my split-brained zones and recursion
allowed for internal machines. This is my "most common"...I will say
that when I dual-purpose a server it usually is done with BIND's
views whether or not split-brain is involved.
Edward Lewis +1-571-434-5468
Nothin' more exciting than going to the printer to watch the toner drain...
to unsubscribe send a message to firstname.lastname@example.org with
the word 'unsubscribe' in a single line as the message text body.