[dns-operations] dnsop-any-notimp violates the DNS standards

bert hubert bert.hubert at netherlabs.nl
Mon Mar 16 14:23:50 UTC 2015


On Mon, Mar 09, 2015 at 04:18:12PM +0100, bert hubert wrote:
> On Mon, Mar 09, 2015 at 11:08:03AM -0000, D. J. Bernstein wrote:
> > My "qmail" software is very widely deployed (on roughly 1 million SMTP
> > server IP addresses) and, by default, relies upon ANY queries in a way
> > that is guaranteed to work by the mandatory DNS standards.
(...)
> Do you think I read 4.3.2 wrong? Or is there another RFC that updates the
> algorithm?

Thanks to some clarification from Dan, I now understand that one can indeed
rely on ANY queries to resolvers to either deliver a CNAME or no CNAME, in
which case there is no CNAME. 

Separately, I fail to see why we actually need to outlaw ANY queries when we
can happily TC=1 them. 

I realize it is nice to do house cleaning in DNS, but I also realize that
having a document that says we deprecated ANY queries is not going to change
a lot about the real world. People will continue to perform them and expect
them to work.

A TC=1 answer does not generate any UDP packet amplification that can be
used for reflection attacks, and in my experience, TCP/IP performance these
days is stunning enough that the few legit ANY queries that come back pose
no issue.
http://blog.powerdns.com/2013/06/25/simple-tcpip-dns-benchmarking-tool/ has
some numbers.

Incidentally, our new tool 'dnsdist' [1] implements any-to-tcp as a setting,
proving that it could be added to any setup w/o too much work.

[1] http://dnsdist.org/ 


	Bert



More information about the dns-operations mailing list