Re: [DNSOP] Re: Last Call: draft-ietf-dnsop-reflectors-are-evil (Preventing Use of Recursive Nameservers in Reflector Attacks) to BCP

Re: [DNSOP] Re: Last Call: draft-ietf-dnsop-reflectors-are-evil (Preventing Use of Recursive Nameservers in Reflector Attacks) to BCP

It does indeed as Stephane pointed out. Opening up your resolver so you can server roaming users, without further protection, is, at best, naive.

Joao

On 28 Sep 2007, at 12:15, Jaap Akkerhuis wrote:

There are two major reasons for an organization to not want roaming users to trust locally-assigned DNS servers.

Open recursive servers doesn't help in against man in the middle
attacks. If you want to avoid that use VPN's or (for DNS) TSIG.

I seem to remember that the ID actually mentions that.

	jaap

_______________________________________________
DNSOP mailing list
DNSOP at ietf.org
https://www1.ietf.org/mailman/listinfo/dnsop

_______________________________________________
Ietf mailing list
Ietf at ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Follow-Ups:
- Re: [DNSOP] Re: Last Call: draft-ietf-dnsop-reflectors-are-evil (Preventing Use of Recursive Nameservers in Reflector Attacks) to BCP
  - From: Sam Hartman
- Re: Last Call: draft-ietf-dnsop-reflectors-are-evil (Preventing Use of Recursive Nameservers in Reflector Attacks) to BCP
  - From: Paul Hoffman

References:
- Re: Last Call: draft-ietf-dnsop-reflectors-are-evil (Preventing Use of Recursive Nameservers in Reflector Attacks) to BCP
  - From: Jaap Akkerhuis

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.