[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Open Resolver Problems

On 3/27/2013 4:49 PM, Tony Finch wrote:
> Jack Bates <jbates at brightok.net> wrote:
>> 3) BCP38 (in spirit)
> That should be deployed as well as RRL.
> Tony.

If BCP38 was properly deployed, what would be the purpose of RRL outside 
of misbehaving clients or direct attacks against that one server?

We already know the fix for spoofing. Trying to tweak every service that 
spoofing effectively takes advantage of will not be a winning game. 
Sending legitimate clients to TCP is also a losing game. DNS is UDP for 
a reason. The infrastructure to switch it to TCP is prohibitive and 
completely destroys the anycast mechanisms.