Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

Paul Vixie <paul@redbarn.org> Wed, 18 March 2015 15:55 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFAAE1A1B7C for <dnsop@ietfa.amsl.com>; Wed, 18 Mar 2015 08:55:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.506
X-Spam-Level:
X-Spam-Status: No, score=-0.506 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U9AVtN9vGJbP for <dnsop@ietfa.amsl.com>; Wed, 18 Mar 2015 08:55:15 -0700 (PDT)
Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E8D51A1B74 for <dnsop@ietf.org>; Wed, 18 Mar 2015 08:55:15 -0700 (PDT)
Received: from [IPv6:2001:559:8000:cb:d435:9013:fa7b:35b8] (unknown [IPv6:2001:559:8000:cb:d435:9013:fa7b:35b8]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 6460413B39; Wed, 18 Mar 2015 15:55:15 +0000 (UTC)
Message-ID: <55099FDE.6040502@redbarn.org>
Date: Wed, 18 Mar 2015 08:55:10 -0700
From: Paul Vixie <paul@redbarn.org>
User-Agent: Postbox 3.0.11 (Windows/20140602)
MIME-Version: 1.0
To: Paul Wouters <paul@nohats.ca>
References: <20150309110803.4516.qmail@cr.yp.to> <20150309151812.GA14897@xs.powerdns.com> <20150316142350.GB26918@xs.powerdns.com> <55075C41.9000208@brokendns.net> <13D58CB4-95BD-412B-A073-C95617E97BCE@redbarn.org> <55077A64.7050906@brokendns.net> <CAGmQtQK1fa2Ji0gUzahZ4q4yJKTy9fwdRKDE+Vhe6h3ejBm=KA@mail.gmail.com> <55078075.8060803@brokendns.net> <CAGmQtQK9=47XiXS+uugev8cYgUn64S0s_fdpOiYRqVtsUinDbQ@mail.gmail.com> <alpine.LFD.2.10.1503170933130.25684@bofh.nohats.ca> <55092A1E.50405@redbarn.org> <alpine.LFD.2.10.1503180944580.23034@bofh.nohats.ca>
In-Reply-To: <alpine.LFD.2.10.1503180944580.23034@bofh.nohats.ca>
X-Enigmail-Version: 1.2.3
Content-Type: multipart/alternative; boundary="------------050108010407040709080906"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/S9pLdcwNClmk3P-A5CUYQ5oSlGs>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Mar 2015 15:55:17 -0000


> Paul Wouters <mailto:paul@nohats.ca>
> Wednesday, March 18, 2015 6:58 AM
> On Wed, 18 Mar 2015, Paul Vixie wrote:
>
>
>
>> my proposal is, limit ANY to a selected set of source-ip addresses,
>> as is commonly done with AXFR/IXFR.
>
> Which I answered before by saying that is basically killing the ANY
> query. The proposed solution merely pretends to not kill it by saying
> "acl".

i don't think there's any pretense here about not wanting to kill, or
not killing, ANY.

the history of DNS is replete with examples of information leaks which
had to be stopped, either by ad-hoc action or by standards action.
limiting who can do zone transfers was first (BIND4 "King James
Edition", 1989-ish). preventing DNSSEC zone walking was next (DNSEXT,
NSEC3, 2001-2014). now it's ANY. many things which made sense on an
academic research Internet do not make sense on a world-wide commercial
internet.

we need a document that says "If you don't want to answer ANY, here's
how to do it interoperably." we don't need to say "you should not answer
ANY", but we do need to say "if you want to query for ANY, here's what
might happen." that, sir, is a killing. we are killing ANY. there's no
pretense.

-- 
Paul Vixie