[dns-operations] if you're banning ANY queries, don't forget to ban SOA as well
Paul Vixie
paul at redbarn.org
Wed Sep 7 01:43:23 UTC 2016
Jared Mauch wrote:
>> On Sep 5, 2016, at 2:52 AM, Dave Warren<davew at hireahit.com> wrote:
>>
>>
>> I think it's the "no drawbacks" that is a point of contention. The
>> drawback is the loss of ANY functionality, which is quite useful to
>> humans.
>>
>
> This is my problem, I’ve relied on ‘any’ for years to not need to know the QTYPE and get back
> related information at a specific node. Having to enumerate 250+ types as a human is
> frustration and still not clearly resolved. The AnyA to return AAAA or A will be helpful
> once it appears, or if applications like dig do the complex computer part for the humans,
> but often times the pedantic folks prevent user friendly solutions.
that could be fixed by always-return-TC on UDP ANY. but that would make
ANY no less useful for DDoS, since reflection is the primary virtue, and
amplification is a nice-to-have. and, this would not make amplification
more difficult to reach; negative DNSSEC responses have some pretty
large proofs associated with them.
--
P Vixie
More information about the dns-operations
mailing list