[dns-operations] Software that refuses an answer by QTYPE if it comes over plain UDP?

Edward Lewis edward.lewis at icann.org
Wed Mar 16 11:53:31 UTC 2016


On 3/16/16, 2:41, "dns-operations on behalf of Dave Warren"
<dns-operations-bounces at dns-oarc.net on behalf of davew at hireahit.com>
wrote:

>Yet CloudFlare went further, disabling them over TCP as well. I'm a
>little disappointed by this as they're certainly a timesaver when
>troubleshooting (although I suppose that doesn't make any difference to
>them)

Another TLD operator disabled ANY queries last spring and I adjusted my
scripts accordingly.  The tradeoff is - more queries vs. a single larger
response.  If the worry is simply amplified reflective attacks, I don't
see this tradeoff benefitting anyone.  (Addressing the dropping of T_ANY
over TCP or other stream protocols.)  That doesn't mean I am against
removing ANY queries, I just don't but a line of reasoning solely on a
so-called security threat.

On the other hand, I think that the ANY query is one of the mistakes made
in the original design of the protocol.  As much as they are useful for
third party monitoring and debugging, with the way the DNS service market
has evolved we might be past the stage where I'd consider that as a
legitimate reason to support ANY queries.  Without ANY queries, I'd put
higher expectations on technical help desks to fix things with internal
tools.  In many cases that could be considering "dreaming."

Ed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4604 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160316/0ec8766c/attachment.bin>


More information about the dns-operations mailing list