[dns-operations] CloudFlare policy on ANY records changing

Olafur Gudmundsson ogud at ogud.com
Fri Mar 6 16:02:16 UTC 2015 

> On Mar 6, 2015, at 10:54 AM, Anthony Eden <anthony.eden at dnsimple.com> wrote:
> 
> Olafur,
> 
> Out of curiosity, have you considered forcing ANY queries over to TCP in all cases as a starting point to see what impact it has, if any?
> 
> Sincerely,
> Anthony Eden
> 
Yes we have been doing that for the last few months.
That does help a lot but still allows attackers to fill Recursive Resolvers with large answers to replay. 
For us the main advantage of doing NOTIMP is code simplicity we can generate the return packet without hitting the actual DNS server. 
Another thought we had was to “poison” resolvers with bogus long lived record like 
        <qname> 1W HINFO “Stop sending” “ANY query” 

   Olafur


> On Fri, Mar 6, 2015 at 4:48 PM, Casey Deccio <casey at deccio.net <mailto:casey at deccio.net>> wrote:
> On Fri, Mar 6, 2015 at 10:05 AM, Olafur Gudmundsson <ogud at ogud.com <mailto:ogud at ogud.com>> wrote:
> 
> We will be depreciating support for ANY queries and return NOTIMP in the near future 
> https://blog.cloudflare.com/deprecating-dns-any-meta-query-type/ <https://blog.cloudflare.com/deprecating-dns-any-meta-query-type/>
> 
> ID proposing this behavior will be forthcoming 
> 
> 
> Be prepared...  Less than two years ago a prominent DNS service began denying ANY queries for a previous employer's domain, and some (important) emails were not delivered.  Historical measurements will help quantify potential issues, but certainly those are not comprehensive, and like anything, there will be breakage.
> 
> I'm not suggesting it's not the right direction, but the change seems somewhat abrupt, and might result in some undesirable near-term effects.  Community support and publicity could help mitigate issues.
> 

> Best regards,
> Casey
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net <mailto:dns-operations at lists.dns-oarc.net>
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs <https://lists.dns-oarc.net/mailman/listinfo/dns-operationsdns-jobs> mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs <https://lists.dns-oarc.net/mailman/listinfo/dns-jobs>
> 
> 
> 
> -- 
> DNSimple.com
> http://dnsimple.com/ <http://dnsimple.com/>
> Twitter: @dnsimple

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150306/c7a8d3e4/attachment.html>

More information about the dns-operations mailing list