Re: [DNSOP] More work for DNSOP :-)

Paul Vixie <paul@redbarn.org> Fri, 06 March 2015 19:20 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74A4F1A1EEC for <dnsop@ietfa.amsl.com>; Fri, 6 Mar 2015 11:20:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.208
X-Spam-Level:
X-Spam-Status: No, score=0.208 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_ABOUTYOU=0.5, HTML_IMAGE_ONLY_24=1.618, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1Jx_YWTo8G7P for <dnsop@ietfa.amsl.com>; Fri, 6 Mar 2015 11:20:28 -0800 (PST)
Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 869E21A1BD9 for <dnsop@ietf.org>; Fri, 6 Mar 2015 11:20:28 -0800 (PST)
Received: from [IPv6:2001:559:8000:cb:b015:3cb0:25ba:df77] (unknown [IPv6:2001:559:8000:cb:b015:3cb0:25ba:df77]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 8CBCD1851C; Fri, 6 Mar 2015 19:20:28 +0000 (UTC)
Message-ID: <54F9FDFA.2030405@redbarn.org>
Date: Fri, 06 Mar 2015 11:20:26 -0800
From: Paul Vixie <paul@redbarn.org>
User-Agent: Postbox 3.0.11 (Windows/20140602)
MIME-Version: 1.0
To: Simon Perreault <sperreault@jive.com>
References: <20150306145217.GA8959@nic.fr> <54F9C29E.9040408@jive.com> <54F9F90D.1020806@redbarn.org> <54F9FCD3.7010204@jive.com>
In-Reply-To: <54F9FCD3.7010204@jive.com>
X-Enigmail-Version: 1.2.3
Content-Type: multipart/alternative; boundary="------------080003090807060306060901"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/Gj2YFkRoMvpAWgZU_egwr4_mh1E>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] More work for DNSOP :-)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Mar 2015 19:20:29 -0000


> Simon Perreault <mailto:sperreault@jive.com>
> Friday, March 06, 2015 11:15 AM
> Le 2015-03-06 13:59, Paul Vixie a écrit :
>
>
>> like RD=0 sent to a recursive-only non-authoritative
>> name server, its intended purpose is helping other people learn things
>> about your name server state that you get no direct benefit from
>> exposing.
>>
>> ...
>
> Full agreement.
>
> All of that would not be so bad if ANY did not appear to work.
> Mozilla, and others, would not have used ANY if it had not appeared to
> work. That's why ANY is so subversive.
>
> Let's break it significantly so it doesn't appear to work anymore.

i now realize that the draft should cover "meta queries" in general,
including RD=0 to a recursive server, AXFR and IXFR, and ANY of course,
and whatever else we can come up with. and the recommendation should be
to place these query types behind some access control mechanism, to
prevent them from being used in normal DNS operations, but to support
their use for diagnostic or other close-relationship activities (zone
transfers).

-- 
Paul Vixie