[dns-operations] Why would an MTA issue an ANY query instead of an MX query?

Vernon Schryver vjs at rhyolite.com
Mon Jun 11 15:07:13 UTC 2012

> From: Tony Finch <dot at dotat.at>

> I think it's wrong to focus on ANY queries: restricting them just
> encourages the attackers to move on to another query type. For a domain
> with DNSSEC you get almost as much data in return to an MX query - 2KB vs
> 1.5KB for cam.ac.uk.

Today I see 2232 byte responses for another type from the authoritative
servers for another domain often discussed in this context.  That
obvious type is not TXT, SPF, MX, or anything else that might be
deleted, deprecated, shrunk, compressed, moved to an apex, or whatever.

ANY queries might be of little use to computers, but I find them useful
while chasing DNS problems.

Emergency patches against ANY to last for a day or two for lack of
other available tools can make good sense--for a day or so.  But
spending any long term effort on ANY queries in this context is the
same "thinking" that brought us SPF as the final ultimate solution
to the spam problem (FUSSP), because as we all "knew," spam requires
forged senders.  That analogy goes farther than one might realize,
because some of the ANY "solutions" I've heard include analogs of
the amazingly uninformed and wrong headed SPF re-invention of SMTP
source routes.

Vernon Schryver    vjs at rhyolite.com

P.S.  I know the current line is that SPF is not and never was a FUSSP;
that doesn't change what was said at the time.  I also know that DKIM
has some real operational value, despite the fact that plenty of
unsolicited, objectionable bulk email advertising is delivered with
valid DKIM signatures.

More information about the dns-operations mailing list