Re: [DNSOP] Suggestion for "any" - TCP only
Paul Wouters <paul@nohats.ca> Mon, 09 March 2015 14:03 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD5241A87EB for <dnsop@ietfa.amsl.com>; Mon, 9 Mar 2015 07:03:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KePS2incoLnG for <dnsop@ietfa.amsl.com>; Mon, 9 Mar 2015 07:03:00 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4CE411A894B for <dnsop@ietf.org>; Mon, 9 Mar 2015 07:02:27 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3l11TF62J3z1HS; Mon, 9 Mar 2015 15:02:25 +0100 (CET)
Authentication-Results: mx.nohats.ca; dkim=pass reason="1024-bit key; unprotected key" header.d=nohats.ca header.i=@nohats.ca header.b=tQuOFmKF; dkim-adsp=pass
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id MTUt7WUiCQie; Mon, 9 Mar 2015 15:02:24 +0100 (CET)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Mon, 9 Mar 2015 15:02:24 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 8BA0C80416; Mon, 9 Mar 2015 10:02:23 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1425909743; bh=Eo7qd7efR9V1KKVV9040TCNN72KHn3BFwJUsXBDDdC0=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=tQuOFmKFLI3luYP59j86Z6nPJ6ua4Xc3ccRCML2GFdCm8Ex+XbOeR/YYF8DarKCIy HKIS860dUqjLxgQ3O8/d6wFzfFYL7F7LP9zj1EQqxRQVcVXbN2romPBKtpT4qN6H6r 4Ysi/4hwEZthQgIB6z2aHmLNzO76sfTjmWeT2eRg=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.14.7/8.14.7/Submit) with ESMTP id t29E2MXN001215; Mon, 9 Mar 2015 10:02:23 -0400
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Mon, 09 Mar 2015 10:02:22 -0400
From: Paul Wouters <paul@nohats.ca>
To: dnsop <dnsop@ietf.org>
In-Reply-To: <54FD2F2F.7050704@redbarn.org>
Message-ID: <alpine.LFD.2.10.1503090936560.13703@bofh.nohats.ca>
References: <CAH1iCir+h+Kfj1q6JSqhGJ9ev0TQwRDSMci3APKCR=gJAW1phQ@mail.gmail.com> <alpine.LFD.2.10.1503082115040.2914@bofh.nohats.ca> <54FD1969.3070405@redbarn.org> <alpine.LFD.2.10.1503082359510.31060@bofh.nohats.ca> <54FD2F2F.7050704@redbarn.org>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/OlnEW-2jJ_461IaOrypC7EeGRO8>
Cc: Brian Dickson <brian.peter.dickson@gmail.com>
Subject: Re: [DNSOP] Suggestion for "any" - TCP only
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Mar 2015 14:03:04 -0000
On Sun, 8 Mar 2015, Paul Vixie wrote: >> So why are we proposing to ACL the ANY queries again? > > because people like me with dig-based diagnostic tools want to be able > to run ANY queries against our own servers, from our NOC/SOC. Fair enough. >> Cloudfare is not doing this for privacy reasons. So let's not kid >> ourselves. > > cloudflare's motives are their own affair. our motives, as a community, > for getting behind the cloudflare proposal, are what should concern us. But all the text you want to remove from the -00 points to why people in real life will deploy this, and you are stating that is wrong use of the draft. Your suggestion of removing the text won't change what people will actually use this draft for, which is to fight amplification attacks (and avoid needing to implement "difficult ANY code") Another argument I've heard is about the privacy of a cache. If that's the goal of the draft, perhaps we should move it to dprive and make that explicit? If we specifically want to address the ANY amplification, there are other methods to do so. If we look at the core issue, amplification based on spoofed source IPs, then the solution seems obvious. For ANY queries over UDP without eastlake cookies, require that the query packet will be larger than the answer packet. So require padding in the ANY query packet. Modify the dig command to add some 1400 bytes padding to the query packet. Paul
- [DNSOP] Suggestion for "any" - TCP only Brian Dickson
- Re: [DNSOP] Suggestion for "any" - TCP only Ralf Weber
- Re: [DNSOP] Suggestion for "any" - TCP only Paul Vixie
- Re: [DNSOP] Suggestion for "any" - TCP only Paul Wouters
- Re: [DNSOP] Suggestion for "any" - TCP only Paul Vixie
- Re: [DNSOP] Suggestion for "any" - TCP only Paul Wouters
- Re: [DNSOP] Suggestion for "any" - TCP only Paul Vixie
- Re: [DNSOP] Suggestion for "any" - TCP only Oliver Peter
- Re: [DNSOP] Suggestion for "any" - TCP only Paul Wouters
- Re: [DNSOP] Suggestion for "any" - TCP only Paul Vixie
- Re: [DNSOP] Suggestion for "any" - TCP only Hugo Maxwell Connery