Subject: Re: change named.conf to turn off recursion by default?
To: None <tech-net@netbsd.org>
From: Rui Paulo <rpaulo@fnop.net>
List: tech-net
Date: 03/06/2006 00:55:01
"Steven M. Bellovin" <smb@cs.columbia.edu> writes:

> Given the increasing problem of DOS reflector attacks via the DNS -- see
>
> 	http://www.us-cert.gov/reading_room/DNS-recursion121605.pdf
> 	http://cc.uoregon.edu/cnews/winter2006/recursive.htm
>
> should we ship a named.conf that disables recursion?  OpenBSD has
> shipped that way since at least 2004.  

I'm all ok for it.

>
> The problem is that doing it properly requires the site to fill in
> trusted hosts or nets, which means that it won't run properly out of
> the box for some configurations.
>
>  --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
>

-- 
  Rui Paulo			<rpaulo@{NetBSD{,-PT}.org,fnop.net}>