[dns-operations] if you're banning ANY queries, don't forget to ban SOA as well

Jared Mauch jared at puck.nether.net
Wed Sep 7 13:14:09 UTC 2016

> On Sep 6, 2016, at 10:20 PM, Mark Andrews <marka at isc.org> wrote:
> You will note that "ANY" isn't a type (or class) name.  It is "*".
> And when that fails because the response doesn't fit in 64K?
> And types above 255 exist today.
> *	255	A request for all records the server/cache has available	[RFC1035][RFC6895]		
> URI	256	URI	[RFC7553]	URI/uri-completed-template	2011-02-22
> CAA	257	Certification Authority Restriction	[RFC6844]	CAA/caa-completed-template	2011-04-07
> AVC	258	Application Visibility and Control	[Wolfgang_Riedel]	AVC/avc-completed-template	2016-02-26
> TA	32768	DNSSEC Trust Authorities	[Sam_Weiler][http://cameo.library.cmu.edu/][ Deploying DNSSEC Without a Signed Root. Technical Report 1999-19, Information Networking Institute, Carnegie Mellon University, April 2004.]		2005-12-13
> DLV	32769	DNSSEC Lookaside Validation	[RFC4431]		

Well, I think this inherently is the problem, I may want to say for QNAME=nether.net please give me relevant types to help diagnose a problem, but this requires the client to enumerate many types.  It’s not that it’s not {0,255}, it’s we don’t know what’s there.  

The varying implementations of ANY have always been a problem (cached vs fetching .*) but troubleshooting by a human can certainly go TCP to fetch ANY, require nonce, cookies or all of the above.  I can retrain the fingers to use something that does 65535 queries in the background if necessary, but having me foreach {1,65535} is something the software should provide and what computers are for.  I shouldn’t have to create that wheel each time :)

- Jared

More information about the dns-operations mailing list