Limiting recursion...was Re: the RD bit is troubling me today
At 8:06 +0000 2/8/06, Paul Vixie wrote:
>There's another, more extreme problem with dual-purpose servers, and that's
>security. Recursive nameservers which are open to the internet are, because
>of the widespread ridicule heaped upon RFC2827/BCP38 and SAC004, "dangerous".
>(I am aware of a multi-gigabit attack occuring against a neighbor, even as I
>type this, involving a few thousand open-to-recursion nameservers, 4K TXT RRs,
>a low-intensity spoofed source query stream from a botnet, and EDNS0.) Since
>it's operationally difficult to use different ACLs for recursion vs authority,
>most people just don't do it. So most dual-purpose nameservers are fully open
>and thus "dangerous". So if we do manage to nail down a practical
>interpretation of dual-purpose, I'll want the resulting clarification document
>to sing most expansively the damnation against open recursive servers, and if
>I am an author of such a document, it will advise "just don't do it" as the
>safest course of action.[/color]
When you say "security" you mean potential for abuse on the public
Internet, not security as in the safety of what you learn, right?
Just because "most dual-purpose nameservers are fully open" doesn't
mean that dual-purpose shouldn't be clarified if the specs are
unclear. What needs to be made more clear is that open recursers are
a problem - regardless if whether they are also dual-pupose.
Perhaps default settings of nameserver implementations ought to limit
recursion to the loopback address, forcing a conscious decision on
the deployer of the server to know what they are driving on the
For me, my most common use of dual-purpose has been with BIND views,
defining one view that has no recursion and answers to the outside
world and another view that has my split-brained zones and recursion
allowed for internal machines. This is my "most common"...I will say
that when I dual-purpose a server it usually is done with BIND's
views whether or not split-brain is involved.
Edward Lewis +1-571-434-5468
Nothin' more exciting than going to the printer to watch the toner drain...
to unsubscribe send a message to [email]firstname.lastname@example.org[/email] with
the word 'unsubscribe' in a single line as the message text body.