> From: Tony Finch <d...@dotat.at> > I think it's wrong to focus on ANY queries: restricting them just > encourages the attackers to move on to another query type. For a domain > with DNSSEC you get almost as much data in return to an MX query - 2KB vs > 1.5KB for cam.ac.uk.
Today I see 2232 byte responses for another type from the authoritative servers for another domain often discussed in this context. That obvious type is not TXT, SPF, MX, or anything else that might be deleted, deprecated, shrunk, compressed, moved to an apex, or whatever. ANY queries might be of little use to computers, but I find them useful while chasing DNS problems. Emergency patches against ANY to last for a day or two for lack of other available tools can make good sense--for a day or so. But spending any long term effort on ANY queries in this context is the same "thinking" that brought us SPF as the final ultimate solution to the spam problem (FUSSP), because as we all "knew," spam requires forged senders. That analogy goes farther than one might realize, because some of the ANY "solutions" I've heard include analogs of the amazingly uninformed and wrong headed SPF re-invention of SMTP source routes. Vernon Schryver v...@rhyolite.com P.S. I know the current line is that SPF is not and never was a FUSSP; that doesn't change what was said at the time. I also know that DKIM has some real operational value, despite the fact that plenty of unsolicited, objectionable bulk email advertising is delivered with valid DKIM signatures. _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs