[dns-operations] if you're banning ANY queries, don't forget to ban SOA as well

Paul Vixie paul at redbarn.org
Wed Sep 7 01:43:23 UTC 2016

Jared Mauch wrote:
>> On Sep 5, 2016, at 2:52 AM, Dave Warren<davew at hireahit.com>  wrote:
>> I think it's the "no drawbacks" that is a point of contention. The
>> drawback is the loss of ANY functionality, which is quite useful to
>> humans.
> This is my problem, I’ve relied on ‘any’ for years to not need to know the QTYPE and get back
> related information at a specific node.  Having to enumerate 250+ types as a human is
> frustration and still not clearly resolved.  The AnyA to return AAAA or A will be helpful
> once it appears, or if applications like dig do the complex computer part for the humans,
> but often times the pedantic folks prevent user friendly solutions.

that could be fixed by always-return-TC on UDP ANY. but that would make 
ANY no less useful for DDoS, since reflection is the primary virtue, and 
amplification is a nice-to-have. and, this would not make amplification 
more difficult to reach; negative DNSSEC responses have some pretty 
large proofs associated with them.

P Vixie

More information about the dns-operations mailing list