[dns-operations] dnsop-any-notimp violates the DNS standards

Michael Sinatra michael at brokendns.net
Mon Mar 16 22:42:09 UTC 2015

On 03/16/15 07:23, bert hubert wrote:

> Separately, I fail to see why we actually need to outlaw ANY queries when we
> can happily TC=1 them. 

If the public recursives also support TC=1 on all ANY queries, then this
works.  If not, the issue arises where just-below-the-radar attacks are
using many public recursives, in which case you're not stopping much.
The problem is exacerbated when you have NSEC3-signed zones where the
NSEC3PARAM RR TTL is set to 0, so you end with lots of TCP queries to
the authoritative servers of the backend domains that are being used in
the attack, since those really are "legitimate" and they are not cached,
as some implementations throw out the entire QNAME when the TTL of one
of the constituent RRsets expires.  TC=1 means that everyone has to do
it, not just the people who want to protect themselves or prevent their
services from being used as amplifiers.

I don't really care what course we take, but I think we should do
something, because the current situation isn't great.  I enjoy getting
email from people with ancient qmail implementations (sort of like
watching old war movies--you're reminded of a distant-in-time, violent
conflagration), but a bigger headache for me right now is the mess
that's currently created with QTYPE=ANY.

A "nice" feature might be to redefine ANY as being "what the
administrator wants you to see" and then let authoritative servers
specify what response is sent for QTYPE=ANY to simultaneously minimize
breakage and DOS potential.  But that's an awful lot of rope for plenty
of hangings, even with sensible defaults.


More information about the dns-operations mailing list