[Unbound-users] Unbound as public DNSSEC resolver

Olaf Kolkman olaf at NLnetLabs.nl
Wed Oct 13 12:48:21 UTC 2010

On Oct 13, 2010, at 1:28 PM, lst_hoe02 at kwsoft.de wrote:

> Zitat von lst_hoe02 at kwsoft.de:
>> Ups, sorry. I forgot to disable S/MIME for the list-mail.
>> But the question remains:
>> What is "best practice" to limit the resources used and to be a good citizen when using unbound as public DNSSEC aware resolver, or is it no recommended at all?
> Still no answer for this one so i guess it is not recommended at all...

Best current practices are documented in RFC5358 "Preventing Use of Recursive Nameservers in Reflector Attacks"

Key sentence there is:
   By default, nameservers SHOULD NOT offer recursive service to
   external networks.

but the document offers suggestions on what to do when you have public facing recursive service. (which boil down to 'know who you talk to')

Hope this helps.



Olaf M. Kolkman                        NLnet Labs
                                       Science Park 140, 
http://www.nlnetlabs.nl/               1098 XG Amsterdam

More information about the Unbound-users mailing list