Re: [DNSOP] Suggestion for "any" - TCP only

Paul Wouters <paul@nohats.ca> Mon, 09 March 2015 14:03 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD5241A87EB for <dnsop@ietfa.amsl.com>; Mon, 9 Mar 2015 07:03:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KePS2incoLnG for <dnsop@ietfa.amsl.com>; Mon, 9 Mar 2015 07:03:00 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4CE411A894B for <dnsop@ietf.org>; Mon, 9 Mar 2015 07:02:27 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3l11TF62J3z1HS; Mon, 9 Mar 2015 15:02:25 +0100 (CET)
Authentication-Results: mx.nohats.ca; dkim=pass reason="1024-bit key; unprotected key" header.d=nohats.ca header.i=@nohats.ca header.b=tQuOFmKF; dkim-adsp=pass
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id MTUt7WUiCQie; Mon, 9 Mar 2015 15:02:24 +0100 (CET)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Mon, 9 Mar 2015 15:02:24 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 8BA0C80416; Mon, 9 Mar 2015 10:02:23 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1425909743; bh=Eo7qd7efR9V1KKVV9040TCNN72KHn3BFwJUsXBDDdC0=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=tQuOFmKFLI3luYP59j86Z6nPJ6ua4Xc3ccRCML2GFdCm8Ex+XbOeR/YYF8DarKCIy HKIS860dUqjLxgQ3O8/d6wFzfFYL7F7LP9zj1EQqxRQVcVXbN2romPBKtpT4qN6H6r 4Ysi/4hwEZthQgIB6z2aHmLNzO76sfTjmWeT2eRg=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.14.7/8.14.7/Submit) with ESMTP id t29E2MXN001215; Mon, 9 Mar 2015 10:02:23 -0400
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Mon, 09 Mar 2015 10:02:22 -0400
From: Paul Wouters <paul@nohats.ca>
To: dnsop <dnsop@ietf.org>
In-Reply-To: <54FD2F2F.7050704@redbarn.org>
Message-ID: <alpine.LFD.2.10.1503090936560.13703@bofh.nohats.ca>
References: <CAH1iCir+h+Kfj1q6JSqhGJ9ev0TQwRDSMci3APKCR=gJAW1phQ@mail.gmail.com> <alpine.LFD.2.10.1503082115040.2914@bofh.nohats.ca> <54FD1969.3070405@redbarn.org> <alpine.LFD.2.10.1503082359510.31060@bofh.nohats.ca> <54FD2F2F.7050704@redbarn.org>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/OlnEW-2jJ_461IaOrypC7EeGRO8>
Cc: Brian Dickson <brian.peter.dickson@gmail.com>
Subject: Re: [DNSOP] Suggestion for "any" - TCP only
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Mar 2015 14:03:04 -0000

On Sun, 8 Mar 2015, Paul Vixie wrote:

>> So why are we proposing to ACL the ANY queries again?
>
> because people like me with dig-based diagnostic tools want to be able
> to run ANY queries against our own servers, from our NOC/SOC.

Fair enough.

>> Cloudfare is not doing this for privacy reasons. So let's not kid
>> ourselves.
>
> cloudflare's motives are their own affair. our motives, as a community,
> for getting behind the cloudflare proposal, are what should concern us.

But all the text you want to remove from the -00 points to why people in
real life will deploy this, and you are stating that is wrong use of the
draft. Your suggestion of removing the text won't change what people
will actually use this draft for, which is to fight amplification
attacks (and avoid needing to implement "difficult ANY code")

Another argument I've heard is about the privacy of a cache. If that's
the goal of the draft, perhaps we should move it to dprive and make
that explicit?

If we specifically want to address the ANY amplification, there are other
methods to do so. If we look at the core issue, amplification based on
spoofed source IPs, then the solution seems obvious. For ANY queries
over UDP without eastlake cookies, require that the query packet will be
larger than the answer packet. So require padding in the ANY query packet.
Modify the dig command to add some 1400 bytes padding to the query
packet.

Paul