[dns-operations] if you're banning ANY queries, don't forget to ban SOA as well
Paul Vixie
paul at redbarn.org
Mon Sep 5 07:37:31 UTC 2016
Dave Warren wrote:
> On Sun, Sep 4, 2016, at 22:56, Shane Kerr wrote:
>> ... do what works, especially if it is cheap& easy with no drawbacks. :)
>
> I think it's the "no drawbacks" that is a point of contention. The
> drawback is the loss of ANY functionality, which is quite useful to
> humans.
some of the people who are blocking ANY still allow it over TCP, because
spoofing TCP is pretty hard. that doesn't make blocking ANY less silly,
but it does preserve the purported advantages of what is essentially a
diagnostic query. (production systems should not use ANY, noting that
sendmail did so for many years.)
my point of contention is around "works" and also "cheap & easy". it
will work until it is bypassed, and it will be bypassed very cheaply.
and, blocking ANY is neither cheap nor easy when you consider the TCO.
blocking ANY is just silly.
--
P Vixie
More information about the dns-operations
mailing list