<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Mon, Sep 5, 2016 at 8:39 AM, Jim Reid <span dir="ltr"><<a href="mailto:jim@rfc1035.com" target="_blank">jim@rfc1035.com</a>></span> wrote:<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">
> On 5 Sep 2016, at 15:47, Damian Menscher <<a href="mailto:damian@google.com">damian@google.com</a>> wrote:<br>
><br>
> 1) Bypassing ANY is trivial for the attacker, as they can switch to TXT or any other record.<br>
<br>
</span>Not quite. An attacker can of course easily switch from ANY queries to whatever qtype they choose. This probably won't produce as big a bang for their buck because the response payload for that qtype is unlikely to be as chunky as an ANY response. Or they might only get a NOHOST or NXDOMAIN if there’s no TXT (say) record for the qname.<br></blockquote><div><br></div><div>You're forgetting that attackers can register domains too. I once saw an attack domain set up with ~100 A records, so they could perform amplification with an A? query.</div><div><br></div><div>Damian </div></div></div></div>