Re: [DNSOP] Suggestion for "any" - TCP only

Paul Vixie <paul@redbarn.org> Mon, 09 March 2015 00:39 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 114C41A0046 for <dnsop@ietfa.amsl.com>; Sun, 8 Mar 2015 17:39:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.791
X-Spam-Level:
X-Spam-Status: No, score=0.791 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HTML_IMAGE_ONLY_32=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sJYNsCJbLedc for <dnsop@ietfa.amsl.com>; Sun, 8 Mar 2015 17:39:21 -0700 (PDT)
Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C66801A0024 for <dnsop@ietf.org>; Sun, 8 Mar 2015 17:39:21 -0700 (PDT)
Received: from [172.31.9.44] (unknown [123.126.24.150]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 75E1C1813E; Mon, 9 Mar 2015 00:39:19 +0000 (UTC)
Message-ID: <54FCEBAF.2000302@redbarn.org>
Date: Sun, 08 Mar 2015 17:39:11 -0700
From: Paul Vixie <paul@redbarn.org>
User-Agent: Postbox 3.0.11 (Windows/20140602)
MIME-Version: 1.0
To: Brian Dickson <brian.peter.dickson@gmail.com>
References: <CAH1iCir+h+Kfj1q6JSqhGJ9ev0TQwRDSMci3APKCR=gJAW1phQ@mail.gmail.com>
In-Reply-To: <CAH1iCir+h+Kfj1q6JSqhGJ9ev0TQwRDSMci3APKCR=gJAW1phQ@mail.gmail.com>
X-Enigmail-Version: 1.2.3
Content-Type: multipart/alternative; boundary="------------030401080208080006080605"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/Ps1lZZyhkB0YZd-3O9gFCA2Mb08>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Subject: Re: [DNSOP] Suggestion for "any" - TCP only
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Mar 2015 00:39:23 -0000


> Brian Dickson <mailto:brian.peter.dickson@gmail.com>
> Sunday, March 08, 2015 2:55 PM
> Hey, everyone,
>
> Given the diagnostic value of "any" (and similarly "RRSIG" et al), I
> would prefer deprecation of only the UDP version, via mechanisms that
> are "dig"-friendly.

alas, in a post-snowden world, that's just not going to be enough.
>
> E.g. return TC=1 (and minimal response) instead, to trigger TCP retry.
>
> It throws out the bath water, but keeps the baby.
>
> I am guessing here, but would this be easy enough to implement?

your preference for leaving TCP open implies that maybe you think
restricting or deprecating meta-data queries has something to do with
reflection/amplification defense. it does not, and any language to that
effect will be removed from the next revision of olafur's draft.

moreover, the problem of metadata queries is that anything usable for
diagnostics is also useful, in the same way and to the same degree, for
surveillance. queries for meta-data are overt information leaks. the
default MUST be that they are not answered, though the default SHOULD be
override-able by TSIG or client-ip or similar access control mechanisms.

-- 
Paul Vixie