Re: [DNSOP] More work for DNSOP :-)
Paul Vixie <paul@redbarn.org> Fri, 06 March 2015 19:42 UTC
Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5AAC41A1BE4 for <dnsop@ietfa.amsl.com>; Fri, 6 Mar 2015 11:42:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.309
X-Spam-Level:
X-Spam-Status: No, score=-1.309 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_IMAGE_ONLY_32=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_47=0.6, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6F05NeBFrZ1g for <dnsop@ietfa.amsl.com>; Fri, 6 Mar 2015 11:42:11 -0800 (PST)
Received: from family.redbarn.org (family.redbarn.org [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F7471A6F3A for <dnsop@ietf.org>; Fri, 6 Mar 2015 11:42:11 -0800 (PST)
Received: from [IPv6:2001:559:8000:cb:b015:3cb0:25ba:df77] (unknown [IPv6:2001:559:8000:cb:b015:3cb0:25ba:df77]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 8CAF61851C; Fri, 6 Mar 2015 19:42:11 +0000 (UTC)
Message-ID: <54FA0310.3000908@redbarn.org>
Date: Fri, 06 Mar 2015 11:42:08 -0800
From: Paul Vixie <paul@redbarn.org>
User-Agent: Postbox 3.0.11 (Windows/20140602)
MIME-Version: 1.0
To: Bob Harold <rharolde@umich.edu>
References: <20150306145217.GA8959@nic.fr> <54F9C29E.9040408@jive.com> <54F9F90D.1020806@redbarn.org> <54F9FCD3.7010204@jive.com> <54F9FDFA.2030405@redbarn.org> <CA+nkc8AyOvMwpoXQYmubxmWjKvkQwXYr1QaLPOoA1E-ahpV7wA@mail.gmail.com>
In-Reply-To: <CA+nkc8AyOvMwpoXQYmubxmWjKvkQwXYr1QaLPOoA1E-ahpV7wA@mail.gmail.com>
X-Enigmail-Version: 1.2.3
Content-Type: multipart/alternative; boundary="------------000205060406000905000901"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/JLmihsZ4tGWnfnp9pF8eNJP7brI>
Cc: IETF DNSOP WG <dnsop@ietf.org>
Subject: Re: [DNSOP] More work for DNSOP :-)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Mar 2015 19:42:12 -0000
> Bob Harold <mailto:rharolde@umich.edu> > Friday, March 06, 2015 11:37 AM > I would be concerned about blocking RD=0 (non-recursive). That would > prevent me from check to be sure an entry was NOT in the cache, in > some DNS server my clients are using. That would make troubleshooting > more difficult. Let's not automatically include that in some group to > get easily blocked. A separate command to block RD=0 is fine, if > someone chooses to use it, to make life difficult for others, that is > their choice, but don't recommend it or make it part of a group. i feel, and share, the pain you're describing. however, we're in a post-snowden era, and any information leaks (such as RD=0 queries to recursive-only servers) have to be reconsidered on the new risk:benefit model. i find that giving every one of my users and customers the ability to find out the presence and if present the TTL of anything in my cache is something more likely to be used against me than to be used for me. the fact that this will make reasonable things like what you're describing also broadly impossible is no different from all the reasonable things that ubiquitous perfect forward secrecy will also make impossible. as you say, fine grained acl's should be the recommendation. but the default ACL for all meta types should be recommended as "nobody". this is further evidence that abuse breeds overcompensation, like with ANY itself. (if mozilla hadn't abused ANY, we would not be having this conversation.) -- Paul Vixie
- [DNSOP] More work for DNSOP :-) Stephane Bortzmeyer
- Re: [DNSOP] More work for DNSOP :-) Simon Perreault
- Re: [DNSOP] More work for DNSOP :-) Edward Lewis
- Re: [DNSOP] More work for DNSOP :-) Marcus Grando
- Re: [DNSOP] More work for DNSOP :-) Stephane Bortzmeyer
- Re: [DNSOP] More work for DNSOP :-) Paul Vixie
- Re: [DNSOP] More work for DNSOP :-) Alejandro Acosta
- Re: [DNSOP] More work for DNSOP :-) Simon Perreault
- Re: [DNSOP] More work for DNSOP :-) Paul Vixie
- Re: [DNSOP] More work for DNSOP :-) Edward Lewis
- Re: [DNSOP] More work for DNSOP :-) Paul Vixie
- Re: [DNSOP] More work for DNSOP :-) Bob Harold
- Re: [DNSOP] More work for DNSOP :-) Paul Vixie
- Re: [DNSOP] More work for DNSOP :-) Dan York
- Re: [DNSOP] More work for DNSOP :-) Evan Hunt
- Re: [DNSOP] More work for DNSOP :-) Paul Vixie
- Re: [DNSOP] More work for DNSOP :-) Paul Wouters
- Re: [DNSOP] More work for DNSOP :-) Paul Vixie
- Re: [DNSOP] More work for DNSOP :-) Paul Wouters
- Re: [DNSOP] More work for DNSOP :-) Andrew Sullivan
- Re: [DNSOP] More work for DNSOP :-) Paul Vixie
- Re: [DNSOP] More work for DNSOP :-) Paul Vixie
- Re: [DNSOP] More work for DNSOP :-) Tony Finch
- Re: [DNSOP] More work for DNSOP :-) Olafur Gudmundsson
- Re: [DNSOP] More work for DNSOP :-) Paul Hoffman
- Re: [DNSOP] More work for DNSOP :-) Andreas Gustafsson
- Re: [DNSOP] More work for DNSOP :-) Tony Finch
- Re: [DNSOP] More work for DNSOP :-) Stephane Bortzmeyer
- [DNSOP] Why no more meta-queries? (Was: More work… Stephane Bortzmeyer
- Re: [DNSOP] More work for DNSOP :-) Paul Hoffman
- Re: [DNSOP] Why no more meta-queries? (Was: More … Ray Bellis
- Re: [DNSOP] More work for DNSOP :-) Olafur Gudmundsson
- Re: [DNSOP] Why no more meta-queries? (Was: More … Shumon Huque
- Re: [DNSOP] Why no more meta-queries? (Was: More … Robert Edmonds
- Re: [DNSOP] Why no more meta-queries? (Was: More … Shumon Huque
- Re: [DNSOP] Why no more meta-queries? (Was: More … Shumon Huque
- Re: [DNSOP] Why no more meta-queries? (Was: More … W.C.A. Wijngaards
- Re: [DNSOP] Why no more meta-queries? (Was: More … Shumon Huque