I've read draft-jabley-dnsop-refuse-any-01. I have a few comments:
- Section 3
ANY queries are sometimes used to help mine authoritative-only DNS
servers for zone data, since they return all RRSets for a particular
owner name. A DNS zone maintainer might prefer not to send full ANY
responses to reduce the potential for such information leaks.
I'm not opposed to the idea of reducing ANY responses per se, but
this rationale doesn't sound very strong to me. There are at most
64K types of records for a particular of name (of the same class),
and for a signed zone it's quite easy to get all existing types for
a particular name (the number of which would usually be much smaller
than 64K in practice). It may be true that sending an ANY query is
an easy and cheap way to get all types of records of a particular
name today, if you really worry about this type of mining, tweaking
ANY response won't help much anyway.
- Section 4
1. A DNS responder may choose to search for an owner name that
matches the QNAME and, if that name owns multiple RRs, return
just one of them.
If the choice of the "one" is not deterministic and especially if a
zone uses different authoritative server implementations, then it's
more likely that they return "inconsistent" responses. This may not
be a problem, but we may want to encourage consistent behavior,
e.g., by suggesting the choice of smallest (not just 'a small') one
in Section 5.
- In terms of using ANY query for debugging purposes, and if our main
goal is to prevent abuses like amplification attacks rather than
mining, I wonder whether we want to allow the original behavior
under some conditions, e.g., queries authorized by TSIG or sent over
TCP.
- I wonder whether we want to use a new type of RR rather than HINFO
for synthesized responses. (I've not closely followed discussions on
this draft, so perhaps it was already considered and rejected?).
--
JINMEI, Tatuya
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
