On Mon, 9 Mar 2015, D. J. Bernstein wrote:
My "qmail" software is very widely deployed (on roughly 1 million SMTP server IP addresses) and, by default, relies upon ANY queries in a way that is guaranteed to work by the mandatory DNS standards.
And you've been told for two decades that this was wrong?
Specifically, query type ANY "matches all RR types" for that node on that server.
Wrong, query type ANY "matches all RR types CURRENTLY IN THE CACHE". So the result of qmail's ANY query is completely meaningless and qmail cannot derive any conclusion from the absence of any record from that query. So if the MX or AAAA record has expired from the cache but another RRtype with larger TTL (say NS) is still in there, your ANY query will fail to find records. qmail with this feature is broken. Additionally, Tony Finch did a write up of qmail's ANY problems too: https://fanf.livejournal.com/122220.html
In new software today I would sacrifice these efficiency benefits for the sake of simplicity, but this doesn't mean that I'm going to frivolously inflict retroactive punishment upon administrators who have installed standards-compliant software and done nothing wrong.
You have had 10 years to fix it. Luckilly, I believe most distributions shipping qmail add the patch to fix this already.
I understand how a sufficiently large site might acquire the impression that it can safely take radical action at its own whim, violating the existing protocol standards
Uhm, we pointd out qmail's _bug_ for a decade. I'm quite sure even you do not need to interop with BIND4 anymore.
Apparently Firefox recently deployed ANY queries. I haven't looked at the details but I gather that they're related to the well-known annoyances of handling AAAA etc. Firefox was browbeaten into reverting this change on the basis of highly questionable claims regarding amplification: "It can return enormous result sets, and some authoritative servers have taken to refusing ANY queries because of the frequency with which such queries show up in amplification attacks" -> "I'm concerned about amplification and the perception thereof by security monitors."
No, they were also told that ANY queries only return data from the cache, and using ANY queries means you might miss actual A or AAAA records. This has nothing to do with ANY queries and amplification.
The common theme of CNAME/MX/A and A/AAAA is that there's widepread interest in being able to easily retrieve multiple record types. What I'm saying is not that query type ANY is the ultimate answer (clearly it can be improved); what I'm saying is that these are protocol issues, and that protocol changes need to be handled by an appropriately chartered IETF working group.
I agree there is a use for this. I tried a few years ago to introduce a new EDNS0 option that would allow you to query for a bitmap number of RRsets, but people did not like it. Perhaps the WG is ready for something like this now. Paul _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
