[dns-operations] if you're banning ANY queries, don't forget to ban SOA as well
Jared Mauch
jared at puck.nether.net
Wed Sep 7 13:14:09 UTC 2016
> On Sep 6, 2016, at 10:20 PM, Mark Andrews <marka at isc.org> wrote:
>
> You will note that "ANY" isn't a type (or class) name. It is "*".
>
> And when that fails because the response doesn't fit in 64K?
>
> And types above 255 exist today.
>
> * 255 A request for all records the server/cache has available [RFC1035][RFC6895]
> URI 256 URI [RFC7553] URI/uri-completed-template 2011-02-22
> CAA 257 Certification Authority Restriction [RFC6844] CAA/caa-completed-template 2011-04-07
> AVC 258 Application Visibility and Control [Wolfgang_Riedel] AVC/avc-completed-template 2016-02-26
> TA 32768 DNSSEC Trust Authorities [Sam_Weiler][http://cameo.library.cmu.edu/][ Deploying DNSSEC Without a Signed Root. Technical Report 1999-19, Information Networking Institute, Carnegie Mellon University, April 2004.] 2005-12-13
> DLV 32769 DNSSEC Lookaside Validation [RFC4431]
Well, I think this inherently is the problem, I may want to say for QNAME=nether.net please give me relevant types to help diagnose a problem, but this requires the client to enumerate many types. It’s not that it’s not {0,255}, it’s we don’t know what’s there.
The varying implementations of ANY have always been a problem (cached vs fetching .*) but troubleshooting by a human can certainly go TCP to fetch ANY, require nonce, cookies or all of the above. I can retrain the fingers to use something that does 65535 queries in the background if necessary, but having me foreach {1,65535} is something the software should provide and what computers are for. I shouldn’t have to create that wheel each time :)
- Jared
More information about the dns-operations
mailing list