Re: [DNSOP] I-D Action: draft-ietf-dnsop-refuse-any-04.txt

Vernon Schryver <> Mon, 13 February 2017 22:43 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4F7A31299C2 for <>; Mon, 13 Feb 2017 14:43:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Qe_vpbYzalFW for <>; Mon, 13 Feb 2017 14:43:38 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 261AA1299BD for <>; Mon, 13 Feb 2017 14:43:38 -0800 (PST)
Received: from (localhost []) by (8.15.2/8.15.2) with ESMTPS id v1DMhNUw062301 ( version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <> env-from <>; Mon, 13 Feb 2017 22:43:23 GMT
Received: (from vjs@localhost) by (8.15.2/8.15.2/Submit) id v1DMhNKr062300 for; Mon, 13 Feb 2017 22:43:23 GMT
Date: Mon, 13 Feb 2017 22:43:23 +0000
From: Vernon Schryver <>
Message-Id: <>
In-Reply-To: <>
X-DCC-Rhyolite-Metrics:; whitelist
Archived-At: <>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-refuse-any-04.txt
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 13 Feb 2017 22:43:39 -0000

> From: Tony Finch <>

> One of the points of minimal-any is that the answer is not truncated
> because you do not want clients to automatically retry over TCP. This is
> to handle situations where many third-party recursive servers are under
> attack using one of your names, so the recursive servers are hitting
> your authoritative servers hard. RRL does not work in this case, because
> the clients are legitimate recursive servers. You want to give them an
> answer asap, that they can cache without hitting TCP.

On the contrary, as that case is described, RRL works fine, and
this minimal-any mechanism won't help the obvious attack situation
in that might be intended.

Each legitimate recursive server will ask once per some TTL and
cache the rrsets that it gets.  No single legitimate recursive
server will make a lot of ANY requests per unit time.

An attack that might be intended involves many open recursive servers
(perhaps open only local infected eyeball stubs) being hit for only a
few requests each (or at least passing on only a few each request) for
your names but many all together.

However, in that case how many legitimate recursive servers will
send ANY requests to authorities?

Vernon Schryver