Re: [DNSOP] More work for DNSOP :-)

Paul Vixie <> Fri, 06 March 2015 18:59 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 36E8C1A1BD9 for <>; Fri, 6 Mar 2015 10:59:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.208
X-Spam-Status: No, score=0.208 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_ABOUTYOU=0.5, HTML_IMAGE_ONLY_24=1.618, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id U1_QU2-UobzO for <>; Fri, 6 Mar 2015 10:59:28 -0800 (PST)
Received: from ( [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5AD311A1B6D for <>; Fri, 6 Mar 2015 10:59:28 -0800 (PST)
Received: from [IPv6:2001:559:8000:cb:b015:3cb0:25ba:df77] (unknown [IPv6:2001:559:8000:cb:b015:3cb0:25ba:df77]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id BF98E1814C; Fri, 6 Mar 2015 18:59:28 +0000 (UTC)
Message-ID: <>
Date: Fri, 06 Mar 2015 10:59:25 -0800
From: Paul Vixie <>
User-Agent: Postbox 3.0.11 (Windows/20140602)
MIME-Version: 1.0
To: Simon Perreault <>
References: <> <>
In-Reply-To: <>
X-Enigmail-Version: 1.2.3
Content-Type: multipart/alternative; boundary="------------030604000404030505000309"
Archived-At: <>
Subject: Re: [DNSOP] More work for DNSOP :-)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 06 Mar 2015 18:59:30 -0000

> Simon Perreault <>
> Friday, March 06, 2015 7:07 AM
> ...
> The problem with ANY is that it appears to work just fine. If a
> significant chunk of DNS servers start breaking ANY then it might
> discourage naive developers from attempting to use it. 

there's a much bigger problem with ANY, which is, its only valid use is
for diagnostics. like RD=0 sent to a recursive-only non-authoritative
name server, its intended purpose is helping other people learn things
about your name server state that you get no direct benefit from exposing.

mozilla's use of ANY is abusive. when sendmail used to send ANY queries,
we thought it could save round trips. we eventually learned that this
was crazy-talk. mozilla's abuse inevitably brings cloudflare's defense.

let's nip one meme in the bud, though: deprecating ANY will not change
the reflecting/amplifying landscape other than to obsolete some of the
existing low-end DDoS tools, which will quickly be changed to ask for
TXT or NS (or even better, DNSKEY).

Paul Vixie