Re: [DNSOP] Second Working Group Last Call: draft-ietf-dnsop-refuse-any

Paul Wouters <paul@nohats.ca> Mon, 20 March 2017 17:54 UTC

Date: Mon, 20 Mar 2017 13:53:19 -0400
From: Paul Wouters <paul@nohats.ca>
To: Tony Finch <dot@dotat.at>
cc: dnsop <dnsop@ietf.org>
In-Reply-To: <alpine.DEB.2.11.1703201730150.26686@grey.csi.cam.ac.uk>
Message-ID: <alpine.LRH.2.20.999.1703201352530.24328@bofh.nohats.ca>
References: <CADyWQ+GSStfAiOs8R9Ob7+LVh0RAfPQ+AbbTFNuwsrKkO=EUWg@mail.gmail.com> <CAC94RYYir_5rKmW47XkUZoVCs5PUfWiKg4Cygyvw6pOzqC5mfA@mail.gmail.com> <d8f1076e-a635-7620-5e2b-0c70efe2c0cf@dougbarton.us> <EDDF24B8-42F6-4BCA-8162-5A5C7CDC8CA2@rfc1035.com> <65cec05f-bb1b-cb9e-d874-a73c9c4653ac@dougbarton.us> <87C900A0-50CA-4B65-813B-1F9D1D831380@rfc1035.com> <alpine.LRH.2.20.999.1703201020240.18647@bofh.nohats.ca> <alpine.DEB.2.11.1703201730150.26686@grey.csi.cam.ac.uk>
User-Agent: Alpine 2.20.999 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/21wnP7qsE3IYOFMk1CFOjK-YBOk>
Subject: Re: [DNSOP] Second Working Group Last Call: draft-ietf-dnsop-refuse-any
Precedence: list

On Mon, 20 Mar 2017, Tony Finch wrote:

> Paul Wouters <paul@nohats.ca> wrote:
>>
>> At section 4, item 3, it could give advise based on source-verified
>> transport, so that ANY queries received over TCP or with DNS-COOKIES
>> could include more data then potentially spoofed UDP packets. But perhaps
>> that is not worth it, because ANY queries shouldn't really be used by
>> applications, and humans will likely use dig without tcp or cookies
>> enabled. So I am fine with the current text as well. But I think it
>> would be cleaner if we no longer refer to UDP and TCP when we really
>> mean "source IP verified transport" when we say that.
>
> The important distinction for me really is TCP vs UDP - I want to avoid
> sending fragmented or truncated UDP responses to legitimate clients.
> (Spoofing attacks are handled by RRL, not minimal-any.)
> https://www.ietf.org/mail-archive/web/dnsop/current/msg19609.html
> https://www.ietf.org/mail-archive/web/dnsop/current/msg19631.html

Then clearly the section could use some clarification text :)

Paul

[DNSOP] Second Working Group Last Call: draft-iet… tjw ietf
Re: [DNSOP] Second Working Group Last Call: draft… Richard Gibson
Re: [DNSOP] Second Working Group Last Call: draft… Doug Barton
Re: [DNSOP] Second Working Group Last Call: draft… Jim Reid
Re: [DNSOP] Second Working Group Last Call: draft… Doug Barton
Re: [DNSOP] Second Working Group Last Call: draft… Mark Andrews
Re: [DNSOP] Second Working Group Last Call: draft… Havard Eidnes
Re: [DNSOP] Second Working Group Last Call: draft… Petr Špaček
Re: [DNSOP] Second Working Group Last Call: draft… Doug Barton
Re: [DNSOP] Second Working Group Last Call: draft… Evan Hunt
Re: [DNSOP] Second Working Group Last Call: draft… Tony Finch
Re: [DNSOP] Second Working Group Last Call: draft… Tony Finch
Re: [DNSOP] Second Working Group Last Call: draft… Jim Reid
Re: [DNSOP] Second Working Group Last Call: draft… Stephane Bortzmeyer
Re: [DNSOP] Second Working Group Last Call: draft… Stephane Bortzmeyer
Re: [DNSOP] Second Working Group Last Call: draft… Jim Reid
Re: [DNSOP] Second Working Group Last Call: draft… Petr Špaček
Re: [DNSOP] Second Working Group Last Call: draft… Tony Finch
Re: [DNSOP] Second Working Group Last Call: draft… Tony Finch
Re: [DNSOP] Second Working Group Last Call: draft… Paul Wouters
Re: [DNSOP] Second Working Group Last Call: draft… Tony Finch
Re: [DNSOP] Second Working Group Last Call: draft… Paul Wouters
Re: [DNSOP] Second Working Group Last Call: draft… 神明達哉