ietf
[Top] [All Lists]

Re: Last Call: draft-ietf-dnsop-reflectors-are-evil (Preventing Use of Recursive Nameservers in Reflector Attacks) to BCP

2007-09-28 00:34:59
On Thu, Sep 27, 2007 at 06:45:55PM -0700,
 Paul Hoffman <paul(_dot_)hoffman(_at_)vpnc(_dot_)org> wrote 
 a message of 36 lines which said:

It ignores one of the main reasons that many organizations purposely
choose to provide recursive lookup to the public, namely for their
own roaming users.

No, it is *not* ignored. See section 4, for instance :

   o  Use TSIG [RFC2845] or SIG(0) [RFC2931] signed queries to
      authenticate the clients.  This is a less error prone method,
      which allows server operators to provide service to clients who
      change IP address frequently (e.g. roaming clients).

VPN are another solution, although not mentioned in the I-D, may be
because it is obvious.

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf