On 11 Jun 2019, at 17:28, Jonas Frey <jf@probe-networks.de> wrote:
As previously noted most (if not all) ccTLD registrys do not block when a open recursor is found. (C/N/O: Verisign pass, EU EURID: pass, DE DE- NIC: pass with warn). Now that these ccTLDs deal with *alot* more nameservers than RIPE (probably), why would it make sense for RIPE to force a block of them?
With the exception of gTLDs who pretty much have to do what ICANN tells them, registries are free to make their own policies on delegation. If the RIPE community wants a more restrictive or liberal delegation policy for reverse zones than some other registry, that is perfectly fine. The community decides. And what’s “right” for one registry isn’t necessarily right for another. It’s not a question of how many/few nameservers a registry might need to check. That’s (mostly unimportant) implementation detail.
IMO: if the open resolver+auth. resolver is considered a bad setup (for operational reasons/resilience or whatever) then that should be left up to the company running it (as possible impact is limited to that - besides amplification).
Nope. There are other much more unpleasant impacts: consider cache poisoning. If your authoritative server also handles arbitrary recursive queries, I can make your name server query my DNS server which tells lies. Unless your server does DNSSEC validation, it will then spread these lies for me. Thanks! Worst case, I might even be able to hijack your authoritative domains by injecting new glue records for those domains into your server’s cache. That said, I’m usually not in favour of preventing people or companies from doing stupid things - like intermingling recursive and authoritative DNS servers. [Darwinism will always win in the end.] I can get paid $$$$ to fix these broken setups. :-) But more importantly, people tend to learn best from their mistakes because they then make sure they don’t repeat them. As someone once said “The IETF is not in the business of hanging people. But it does provide plenty of rope.”. I think those comments apply very well here too.