[dns-operations] CloudFlare policy on ANY records changing

David C Lawrence tale at akamai.com
Tue Mar 10 18:19:51 UTC 2015


Paul Hoffman writes:
> On Mar 10, 2015, at 8:46 AM, David C Lawrence <tale at akamai.com> wrote:
> > One down side there, however, is that REFUSED as understood by
> > resolvers commonly has the semantic currently that the name is not
> > hosted by the server at all.
> 
> If a resolver is sending an ANY before it sends its actual request, that
> could be a problem. However, they shouldn't be doing that.

Yeah, we've well established they shouldn't.

Bad guys often don't care about what they shouldn't be doing, though,
and (untested assertion follows) using REFUSED responses for ANY
queries of random names could be a pretty useful vector for getting
all of the servers for a domain declared lame.

I'm not saying that ultimately the REFUSED approach is unworkable,
just that I'd like to see some practical testing of it in addition to
the support of the philosophical purity of it.





More information about the dns-operations mailing list