Re: [DNSOP] New Version Notification for draft-jabley-dnsop-refuse-any-00.txt

[Shane Kerr <shane@time-travellers.org>]

Joe and all,

On 2015-10-01 02:25-0400
"Joe Abley" <jabley@hopcount.ca> wrote:

> On 1 Oct 2015, at 1:08, Evan Hunt wrote:
> 
> > The disadvantages of pick-one-RRset that I can see are 1) more
> > information leaked (but nothing that couldn't be obtained by sending
> > queries for individual qtypes anyway), and 2) modestly larger response
> > size (but still a lot better than unminimized ANY responses).
> >
> > Perhaps both approaches should be described in the draft.
> 
> I think I've run out of reasons why the HINFO approach is better than 
> your pick-one idea, which mainly leaves us with the HINFO approach 
> feeling a lot like a dirty hack that makes me want to shower, while 
> yours gets the job done without needing updates to 1035, assuming we 
> feel comfortable with the assertion that ANY doesn't have to mean ALL in 
> the context of an authority server. I like it quite a lot. Sorry again 
> to have missed it when you first brought it up.
> 
> Olafur had a particular code-base in mind as motivation for documenting 
> this, and he may have some perspectives that I have missed. On that 
> note, I will take a few steps away from the microphone.

In the case where people just want to reduce the damage of ANY queries
in reflection attacks, I quite like the PowerDNS option of forcing ANY
queries to TCP via truncation. I'm not sure if this has been documented
in any RFC, but if not then perhaps it bears mentioning too?

Cheers,

--
Shane