Re: [DNSOP] More work for DNSOP :-)

[Paul Vixie <paul@redbarn.org>]

> Bob Harold <mailto:rharolde@umich.edu>
> Friday, March 06, 2015 11:37 AM
> I would be concerned about blocking RD=0 (non-recursive).  That would
> prevent me from check to be sure an entry was NOT in the cache, in
> some DNS server my clients are using. That would make troubleshooting
> more difficult.  Let's not automatically include that in some group to
> get easily blocked.  A separate command to block RD=0 is fine, if
> someone chooses to use it, to make life difficult for others, that is
> their choice, but don't recommend it or make it part of a group.

i feel, and share, the pain you're describing. however, we're in a
post-snowden era, and any information leaks (such as RD=0 queries to
recursive-only servers) have to be reconsidered on the new risk:benefit
model. i find that giving every one of my users and customers the
ability to find out the presence and if present the TTL of anything in
my cache is something more likely to be used against me than to be used
for me. the fact that this will make reasonable things like what you're
describing also broadly impossible is no different from all the
reasonable things that ubiquitous perfect forward secrecy will also make
impossible.

as you say, fine grained acl's should be the recommendation. but the
default ACL for all meta types should be recommended as "nobody". this
is further evidence that abuse breeds overcompensation, like with ANY
itself. (if mozilla hadn't abused ANY, we would not be having this
conversation.)

-- 
Paul Vixie