[dns-operations] Why would an MTA issue an ANY query instead ofan MX query?

Zuleger, Holger, Vodafone Germany holger.zuleger at vodafone.com
Mon Jun 11 06:56:32 UTC 2012


> > are there legitimate reasons to continue supporting ANY queries?
Good question.

> They are very useful for debugging. I would regret their
> disappearance. What about forcing TCP for ANY requests only? It would
> limit ANY requests to people who don't spoof their source IP address.
> 
> I do not know how to force TC for replies to ANY queries. Patches for
This will limit the amplification factor (and I was looking for
something
like this too), but I guess that most of the name servers are trying to
put as mutch as possible in the answer packet and setting the TC bit so
without an option to reduce the answer packet to a minimum, it will not
help mutch.

> BIND and nsd are welcome. In the mean time, limiting the outbound size
> to something that will probably affect only ANY queries is a 
> possible workaround:
> 
> BIND:
> max-udp-size 1460
I did this, but even than the amplification factor seems to be high
enough.

One problem is the ANY query (and I'm pretty sure that this is indeed a
big problem), but another one is the number of RR at the zone apex.
I think it was an engineering fault to place SPF records (and the TXT
representation) at the zone appex (Even MX records should be replaced by
the more general SRV record).

Anyway, personally I do not see the benefit for ANY querys at all. So
deprecation is overdue.




More information about the dns-operations mailing list