Subject: Re: change named.conf to turn off recursion by default?
To: None <tech-net@netbsd.org>
From: Rui Paulo <rpaulo@fnop.net>
List: tech-net
Date: 03/06/2006 00:55:01
"Steven M. Bellovin" <smb@cs.columbia.edu> writes:
> Given the increasing problem of DOS reflector attacks via the DNS -- see
>
> http://www.us-cert.gov/reading_room/DNS-recursion121605.pdf
> http://cc.uoregon.edu/cnews/winter2006/recursive.htm
>
> should we ship a named.conf that disables recursion? OpenBSD has
> shipped that way since at least 2004.
I'm all ok for it.
>
> The problem is that doing it properly requires the site to fill in
> trusted hosts or nets, which means that it won't run properly out of
> the box for some configurations.
>
> --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
>
--
Rui Paulo <rpaulo@{NetBSD{,-PT}.org,fnop.net}>