On Sun, 8 Mar 2015, Paul Vixie wrote:
So why are we proposing to ACL the ANY queries again?
because people like me with dig-based diagnostic tools want to be able
to run ANY queries against our own servers, from our NOC/SOC.
Fair enough.
Cloudfare is not doing this for privacy reasons. So let's not kid
ourselves.
cloudflare's motives are their own affair. our motives, as a community,
for getting behind the cloudflare proposal, are what should concern us.
But all the text you want to remove from the -00 points to why people in
real life will deploy this, and you are stating that is wrong use of the
draft. Your suggestion of removing the text won't change what people
will actually use this draft for, which is to fight amplification
attacks (and avoid needing to implement "difficult ANY code")
Another argument I've heard is about the privacy of a cache. If that's
the goal of the draft, perhaps we should move it to dprive and make
that explicit?
If we specifically want to address the ANY amplification, there are other
methods to do so. If we look at the core issue, amplification based on
spoofed source IPs, then the solution seems obvious. For ANY queries
over UDP without eastlake cookies, require that the query packet will be
larger than the answer packet. So require padding in the ANY query packet.
Modify the dig command to add some 1400 bytes padding to the query
packet.
Paul
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
