On 27 May 2015, at 13:00, Mark Andrews wrote:
No. Just "different query - must be bad". "Different query - don't know what to do -> drop" from firewall vendors.
For an enterprise, given that there's no defined use, format (and therefore need) for EDNS(1), if your security posture is "default deny, accept what we know we need" then dropping DNS messages with EDNS(1) seems like exactly the right thing to do, doesn't it?
I understand the point that this posture makes future development and deployment of EDNS(1) hard. I understand why that's a pain for protocol development in the DNS. You don't have to explain either of those things to me. (Just saying.)
But it's not like anybody is going to succeed in getting an enterprise or their firewall vendor to say yes when the request they are hearing is "can you please open up this hole for an experimental protocol that nobody apart from me knows anything about, so that I can play with it".
Remember, these are the people that think ICMP is a security risk. Joe _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
