[Unbound-users] Unbound as public DNSSEC resolver
Olaf Kolkman
olaf at NLnetLabs.nl
Wed Oct 13 12:48:21 UTC 2010
On Oct 13, 2010, at 1:28 PM, lst_hoe02 at kwsoft.de wrote:
> Zitat von lst_hoe02 at kwsoft.de:
>
>> Ups, sorry. I forgot to disable S/MIME for the list-mail.
>>
>> But the question remains:
>>
>> What is "best practice" to limit the resources used and to be a good citizen when using unbound as public DNSSEC aware resolver, or is it no recommended at all?
>>
>
> Still no answer for this one so i guess it is not recommended at all...
>
Best current practices are documented in RFC5358 "Preventing Use of Recursive Nameservers in Reflector Attacks"
http://tools.ietf.org/html/rfc5358
Key sentence there is:
By default, nameservers SHOULD NOT offer recursive service to
external networks.
but the document offers suggestions on what to do when you have public facing recursive service. (which boil down to 'know who you talk to')
Hope this helps.
--Olaf
________________________________________________________
Olaf M. Kolkman NLnet Labs
Science Park 140,
http://www.nlnetlabs.nl/ 1098 XG Amsterdam
More information about the Unbound-users
mailing list