[dns-operations] if you're banning ANY queries, don't forget to ban SOA as well

Paul Vixie paul at redbarn.org
Mon Sep 5 07:37:31 UTC 2016



Dave Warren wrote:
> On Sun, Sep 4, 2016, at 22:56, Shane Kerr wrote:
>> ... do what works, especially if it is cheap&  easy with no drawbacks. :)
>
> I think it's the "no drawbacks" that is a point of contention. The
> drawback is the loss of ANY functionality, which is quite useful to
> humans.

some of the people who are blocking ANY still allow it over TCP, because 
spoofing TCP is pretty hard. that doesn't make blocking ANY less silly, 
but it does preserve the purported advantages of what is essentially a 
diagnostic query. (production systems should not use ANY, noting that 
sendmail did so for many years.)

my point of contention is around "works" and also "cheap & easy". it 
will work until it is bypassed, and it will be bypassed very cheaply. 
and, blocking ANY is neither cheap nor easy when you consider the TCO.

blocking ANY is just silly.

-- 
P Vixie



More information about the dns-operations mailing list