Maintained by: NLnet Labs

[Unbound-users] Unbound as public DNSSEC resolver

Olaf Kolkman
Wed Oct 13 14:48:21 CEST 2010

On Oct 13, 2010, at 1:28 PM, lst_hoe02 at wrote:

> Zitat von lst_hoe02 at
>> Ups, sorry. I forgot to disable S/MIME for the list-mail.
>> But the question remains:
>> What is "best practice" to limit the resources used and to be a good citizen when using unbound as public DNSSEC aware resolver, or is it no recommended at all?
> Still no answer for this one so i guess it is not recommended at all...

Best current practices are documented in RFC5358 "Preventing Use of Recursive Nameservers in Reflector Attacks"

Key sentence there is:
   By default, nameservers SHOULD NOT offer recursive service to
   external networks.

but the document offers suggestions on what to do when you have public facing recursive service. (which boil down to 'know who you talk to')

Hope this helps.



Olaf M. Kolkman                        NLnet Labs
                                       Science Park 140,               1098 XG Amsterdam