On 03/16/15 07:23, bert hubert wrote:
> Separately, I fail to see why we actually need to outlaw ANY queries when we > can happily TC=1 them. If the public recursives also support TC=1 on all ANY queries, then this works. If not, the issue arises where just-below-the-radar attacks are using many public recursives, in which case you're not stopping much. The problem is exacerbated when you have NSEC3-signed zones where the NSEC3PARAM RR TTL is set to 0, so you end with lots of TCP queries to the authoritative servers of the backend domains that are being used in the attack, since those really are "legitimate" and they are not cached, as some implementations throw out the entire QNAME when the TTL of one of the constituent RRsets expires. TC=1 means that everyone has to do it, not just the people who want to protect themselves or prevent their services from being used as amplifiers. I don't really care what course we take, but I think we should do something, because the current situation isn't great. I enjoy getting email from people with ancient qmail implementations (sort of like watching old war movies--you're reminded of a distant-in-time, violent conflagration), but a bigger headache for me right now is the mess that's currently created with QTYPE=ANY. A "nice" feature might be to redefine ANY as being "what the administrator wants you to see" and then let authoritative servers specify what response is sent for QTYPE=ANY to simultaneously minimize breakage and DOS potential. But that's an awful lot of rope for plenty of hangings, even with sensible defaults. michael _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
