> Given the increasing problem of DOS reflector attacks via the DNS -- =
see
>
>       http://www.us-cert.gov/reading_room/DNS-recursion121605.pdf
>       http://cc.uoregon.edu/cnews/winter2006/recursive.htm
>
> should we ship a named.conf that disables recursion?  OpenBSD has
> shipped that way since at least 2004.  =


I suggest we ship a named.conf which looks something like this:


# The following configuration allows one to merely put named=3DYES
# in /etc/rc.conf to get a local recursive name server, and this
# name server cannot be abused in a DNS reflector/amplifier
# attack.
#
# It is recommended that recursive and publishing/authoritative
# functions be performed by either different hosts or through use
# of different views (see the documentation).
#
# Only in the unfortunate situation where the mixing of these
# two functions cannot be avoided should one resort to using
# "allow-recursion" with an ACL.

options {
    recursion yes;
    allow-query {
#       localnets;
        localhost;
    };
};


Or... Should we provide a config which does recursion for a local
view, with restrictions imposed?  The benefit would be that the
same host could be used both as an authoritative name server and
as a recursive resolver, AFAIK without any of the downsides one
would have from earlier where BIND would mix the data from the
two pools.  I beleive that would look something like this:

view "recursion" {
    match-recursion-only yes;
    allow-query {
        localhost;
#       localnets;
    };
};

(Hm, this one is untested, but "should work"...)

> The problem is that doing it properly requires the site to fill in
> trusted hosts or nets, which means that it won't run properly out of
> the box for some configurations.

"localhost" and "localnets" in BIND can be used to some effect...

Regards,

- H=E5vard