For those not on NANOG, on that list is quite some discussion going on about using (recursive) name servers for amplicication attacks. The discussion starts at http://www.merit.edu/mail.archives/nanog/threads.html#16000.o There is a special mailing list devoted on this problem by the isc: http://lists.oarci.net/mailman/listinfo/dns-operations, and this list is open to anyone. There is an US cert warning about this: http://www.us-cert.gov/reading_room/DNS-recursion121605.pdf. The upshot is: Close your open recursive nameservers. Other info: http://dns.measurement-factory.com/surveys/sum1.html and a plug for a secure template by the cymru guys: http://www.cymru.com/Documents/secure-bind-template.html Maybe all this is worth a slot at the coming dns-wg (or eof) meeting? jaap Acknowledgement: Information compiled from messages from Harvey Allen, Lucy Lynch, Rob Thomas and others.