There is a new version in the works, expect it late tomorrow (monday)
It does not outlaw ANY per say, just says limit it to trusted parties.
I tries to define that resolver treat NOTIMP as long term signal that resolver
should keep track of and not retry.
It says ignore RD=1 on meta queries.
It says do not upstream Meta queries
It applies to all meta types, including RRSIG.
Olafur
> On Mar 7, 2015, at 4:36 PM, Tony Finch <[email protected]> wrote:
>
>
>> On 6 Mar 2015, at 19:37, Bob Harold <[email protected]> wrote:
>>
>> I would be concerned about blocking RD=0 (non-recursive). That would
>> prevent me from check to be sure an entry was NOT in the cache, in some DNS
>> server my clients are using.
>
> I thought cache probing was considered an unfortunate information leak :-)
>
> You can block rd=0 in BIND using a view with a match-recursive-only
> directive. So I think the only missing ACL is for ANY (and the similar RRSIG).
>
> Tony.
> --
> f.anthony.n.finch <[email protected]> http://dotat.at
> _______________________________________________
> DNSOP mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/dnsop
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
