[dns-operations] if you're banning ANY queries, don't forget to ban SOA as well
Mark Andrews
marka at isc.org
Thu Sep 8 13:51:49 UTC 2016
In message <70D29BCD-3687-42AB-BFB9-66193C66858B at puck.nether.net>, Jared Mauch
writes:
>
> > On Sep 6, 2016, at 10:20 PM, Mark Andrews <marka at isc.org> wrote:
> >
> > You will note that "ANY" isn't a type (or class) name. It is "*".
> >
> > And when that fails because the response doesn't fit in 64K?
> >
> > And types above 255 exist today.
> >
> > * 255 A request for all records the server/cache has available
> [RFC1035][RFC6895]
> > URI 256 URI [RFC7553] URI/uri-completed-template
> 2011-02-22
> > CAA 257 Certification Authority Restriction [RFC6844]
> CAA/caa-completed-template 2011-04-07
> > AVC 258 Application Visibility and Control
> [Wolfgang_Riedel] AVC/avc-completed-template 2016-02-26
> > TA 32768 DNSSEC Trust Authorities
> [Sam_Weiler][http://cameo.library.cmu.edu/][ Deploying DNSSEC Without a
> Signed Root. Technical Report 1999-19, Information Networking Institute,
> Carnegie Mellon University, April 2004.] 2005-12-13
> > DLV 32769 DNSSEC Lookaside Validation [RFC4431]
>
> Well, I think this inherently is the problem, I may want to say for
> QNAME=nether.net please give me relevant types to help diagnose a
> problem, but this requires the client to enumerate many types. It’s not
> that it’s not {0,255}, it’s we don’t know what’s there.
>
> The varying implementations of ANY have always been a problem (cached vs
> fetching .*) but troubleshooting by a human can certainly go TCP to fetch
> ANY, require nonce, cookies or all of the above. I can retrain the
> fingers to use something that does 65535 queries in the background if
> necessary, but having me foreach {1,65535} is something the software
> should provide and what computers are for. I shouldn’t have to create
> that wheel each time :)
>
> - Jared
The *only* ways to get all the types at a name reliably is to perform
a AXFR of the zone or to query for all of them individually. *
does not guarentee that all types at the name will be delivered.
If you want * to do then then the protocol need to be extended to
support returning multiple messages to a single query.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list