On Mon, Nov 2, 2015 at 1:21 AM, 神明達哉 <[email protected]> wrote:
> I've read draft-jabley-dnsop-refuse-any-01. I have a few comments: > > - Section 3 > > ANY queries are sometimes used to help mine authoritative-only DNS > servers for zone data, since they return all RRSets for a particular > owner name. A DNS zone maintainer might prefer not to send full ANY > responses to reduce the potential for such information leaks. > > I'm not opposed to the idea of reducing ANY responses per se, but > this rationale doesn't sound very strong to me. There are at most > 64K types of records for a particular of name (of the same class), > and for a signed zone it's quite easy to get all existing types for > a particular name (the number of which would usually be much smaller > than 64K in practice). It may be true that sending an ANY query is > an easy and cheap way to get all types of records of a particular > name today, if you really worry about this type of mining, tweaking > ANY response won't help much anyway. > > Even a 3 to 1 reduction in queries is a significant bonus to using ANY, and since most zones are not signed, ANY is very useful. (But unfortunately also abusable.) > - Section 4 > > 1. A DNS responder may choose to search for an owner name that > matches the QNAME and, if that name owns multiple RRs, return > just one of them. > > If the choice of the "one" is not deterministic and especially if a > zone uses different authoritative server implementations, then it's > more likely that they return "inconsistent" responses. This may not > be a problem, but we may want to encourage consistent behavior, > e.g., by suggesting the choice of smallest (not just 'a small') one > in Section 5. > > +1 > - In terms of using ANY query for debugging purposes, and if our main > goal is to prevent abuses like amplification attacks rather than > mining, I wonder whether we want to allow the original behavior > under some conditions, e.g., queries authorized by TSIG or sent over > TCP. > > Strong +1 here. > - I wonder whether we want to use a new type of RR rather than HINFO > for synthesized responses. (I've not closely followed discussions on > this draft, so perhaps it was already considered and rejected?). > > Do most resolvers cache RR types that they do not recognize? > -- > JINMEI, Tatuya > > -- Bob Harold
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
