Re: [DNSOP] Suggestion for "any" - TCP only
Paul Vixie <paul@redbarn.org> Mon, 09 March 2015 00:39 UTC
Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 114C41A0046 for <dnsop@ietfa.amsl.com>; Sun, 8 Mar 2015 17:39:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.791
X-Spam-Level:
X-Spam-Status: No, score=0.791 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HTML_IMAGE_ONLY_32=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sJYNsCJbLedc for <dnsop@ietfa.amsl.com>; Sun, 8 Mar 2015 17:39:21 -0700 (PDT)
Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C66801A0024 for <dnsop@ietf.org>; Sun, 8 Mar 2015 17:39:21 -0700 (PDT)
Received: from [172.31.9.44] (unknown [123.126.24.150]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 75E1C1813E; Mon, 9 Mar 2015 00:39:19 +0000 (UTC)
Message-ID: <54FCEBAF.2000302@redbarn.org>
Date: Sun, 08 Mar 2015 17:39:11 -0700
From: Paul Vixie <paul@redbarn.org>
User-Agent: Postbox 3.0.11 (Windows/20140602)
MIME-Version: 1.0
To: Brian Dickson <brian.peter.dickson@gmail.com>
References: <CAH1iCir+h+Kfj1q6JSqhGJ9ev0TQwRDSMci3APKCR=gJAW1phQ@mail.gmail.com>
In-Reply-To: <CAH1iCir+h+Kfj1q6JSqhGJ9ev0TQwRDSMci3APKCR=gJAW1phQ@mail.gmail.com>
X-Enigmail-Version: 1.2.3
Content-Type: multipart/alternative; boundary="------------030401080208080006080605"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/Ps1lZZyhkB0YZd-3O9gFCA2Mb08>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Subject: Re: [DNSOP] Suggestion for "any" - TCP only
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Mar 2015 00:39:23 -0000
> Brian Dickson <mailto:brian.peter.dickson@gmail.com> > Sunday, March 08, 2015 2:55 PM > Hey, everyone, > > Given the diagnostic value of "any" (and similarly "RRSIG" et al), I > would prefer deprecation of only the UDP version, via mechanisms that > are "dig"-friendly. alas, in a post-snowden world, that's just not going to be enough. > > E.g. return TC=1 (and minimal response) instead, to trigger TCP retry. > > It throws out the bath water, but keeps the baby. > > I am guessing here, but would this be easy enough to implement? your preference for leaving TCP open implies that maybe you think restricting or deprecating meta-data queries has something to do with reflection/amplification defense. it does not, and any language to that effect will be removed from the next revision of olafur's draft. moreover, the problem of metadata queries is that anything usable for diagnostics is also useful, in the same way and to the same degree, for surveillance. queries for meta-data are overt information leaks. the default MUST be that they are not answered, though the default SHOULD be override-able by TSIG or client-ip or similar access control mechanisms. -- Paul Vixie
- [DNSOP] Suggestion for "any" - TCP only Brian Dickson
- Re: [DNSOP] Suggestion for "any" - TCP only Ralf Weber
- Re: [DNSOP] Suggestion for "any" - TCP only Paul Vixie
- Re: [DNSOP] Suggestion for "any" - TCP only Paul Wouters
- Re: [DNSOP] Suggestion for "any" - TCP only Paul Vixie
- Re: [DNSOP] Suggestion for "any" - TCP only Paul Wouters
- Re: [DNSOP] Suggestion for "any" - TCP only Paul Vixie
- Re: [DNSOP] Suggestion for "any" - TCP only Oliver Peter
- Re: [DNSOP] Suggestion for "any" - TCP only Paul Wouters
- Re: [DNSOP] Suggestion for "any" - TCP only Paul Vixie
- Re: [DNSOP] Suggestion for "any" - TCP only Hugo Maxwell Connery