Re: [DNSOP] Suggestion for "any" - TCP only

Oliver Peter <lists@peter.de.com> Mon, 09 March 2015 11:56 UTC

Return-Path: <lists@peter.de.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F032F1A6FF5 for <dnsop@ietfa.amsl.com>; Mon, 9 Mar 2015 04:56:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.348
X-Spam-Level:
X-Spam-Status: No, score=0.348 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, HELO_EQ_DE=0.35, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZQJ_8xK9wUAy for <dnsop@ietfa.amsl.com>; Mon, 9 Mar 2015 04:56:02 -0700 (PDT)
Received: from elsa.gfuzz.de (elsa.gfuzz.de [88.198.148.62]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A4F21A87CE for <dnsop@ietf.org>; Mon, 9 Mar 2015 04:56:02 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by elsa.gfuzz.de (Postfix) with ESMTP id 94D13E0E54; Mon, 9 Mar 2015 12:56:00 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at elsa.gfuzz.de
Received: from elsa.gfuzz.de ([127.0.0.1]) by localhost (elsa.gfuzz.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KlaCMf_3i-9D; Mon, 9 Mar 2015 12:56:00 +0100 (CET)
Received: from mail.opdns.de (ipbcc190f6.dynamic.kabel-deutschland.de [188.193.144.246]) (Authenticated sender: lists@gfuzz.de) by elsa.gfuzz.de (Postfix) with ESMTPSA id 16653E01AB; Mon, 9 Mar 2015 12:56:00 +0100 (CET)
Date: Mon, 09 Mar 2015 11:55:59 +0000
From: Oliver Peter <lists@peter.de.com>
To: Paul Vixie <paul@redbarn.org>
Message-ID: <20150309115558.GA28800@mail.opdns.de>
References: <CAH1iCir+h+Kfj1q6JSqhGJ9ev0TQwRDSMci3APKCR=gJAW1phQ@mail.gmail.com> <alpine.LFD.2.10.1503082115040.2914@bofh.nohats.ca> <54FD1969.3070405@redbarn.org> <alpine.LFD.2.10.1503082359510.31060@bofh.nohats.ca> <54FD2F2F.7050704@redbarn.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="zhXaljGHf11kAtnf"
Content-Disposition: inline
In-Reply-To: <54FD2F2F.7050704@redbarn.org>
X-Operating-System: Linux 3.18.7-gentoo i686
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/YMTOLZ5btpxrgYnShLwefewmyak>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>, Paul Wouters <paul@nohats.ca>, Brian Dickson <brian.peter.dickson@gmail.com>
Subject: Re: [DNSOP] Suggestion for "any" - TCP only
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Mar 2015 11:56:04 -0000

On Sun, Mar 08, 2015 at 10:27:11PM -0700, Paul Vixie wrote:
> 
> 
> > Paul Wouters <mailto:paul@nohats.ca>
> > Sunday, March 08, 2015 9:03 PM
> > On Sun, 8 Mar 2015, Paul Vixie wrote:
> >
> >
> > So why are we proposing to ACL the ANY queries again?
> 
> because people like me with dig-based diagnostic tools want to be able
> to run ANY queries against our own servers, from our NOC/SOC.

For a domain registrar who hosts a massive amount of slave zones on
serveral exernal nameservers (customers own Master, no way to access log
files) it's important to have good diagnostic tools.
I.e. a knob between allow-axfr-from and the ANY ACL would be nice.

Otherwise I'm with Paul Wouters that ACL will kill ANY queries.


-- 
Oliver PETER       oliver@gfuzz.de       0x456D688F