Re: [DNSOP] More work for DNSOP :-)
Bob Harold <rharolde@umich.edu> Fri, 06 March 2015 19:37 UTC
Return-Path: <rharolde@umich.edu>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 422541A1DFA for <dnsop@ietfa.amsl.com>; Fri, 6 Mar 2015 11:37:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.477
X-Spam-Level:
X-Spam-Status: No, score=-1.477 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, GB_ABOUTYOU=0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xT5zXvhQ6EAh for <dnsop@ietfa.amsl.com>; Fri, 6 Mar 2015 11:37:10 -0800 (PST)
Received: from mail-la0-f54.google.com (mail-la0-f54.google.com [209.85.215.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 962691A6FEB for <dnsop@ietf.org>; Fri, 6 Mar 2015 11:37:02 -0800 (PST)
Received: by labgm9 with SMTP id gm9so20066710lab.8 for <dnsop@ietf.org>; Fri, 06 Mar 2015 11:37:01 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=JBLCgCRYyAuwIqsMo8AVi2dIWZFzGmbeYfwOPbyed5c=; b=SU6AgGRfM0/miu/hb0d51vPJt2LyTavDkmkLuPdsBpO0t8AZKvVy0vWUzK5MF3qZa8 NxYkFi/RI2HBzQj8P9EdLXG2jOmPLfElAnm/xFjGryR5bjsTT8PNjza2NM2/iLc581/1 6UXMTSBkZcAklg4mfowbc5n9czWc6iStbJkuevjrM2mr5XxIMVEZ+92vQQSh8WYmT1kd SvgP9LHsq/XcAjgtpsGTPhvPDPe3i6oCNed3L46iZbI9RUdw1MXjjc1oagFxi+mc5dJx N/mdxEgaH0PnK2kG1fzeQ6uq3j6/YakSPf7AY898dsrn1Mn3NLf6+rn8qF8rUkff8ajM QZ7w==
X-Gm-Message-State: ALoCoQkipZV3aLLWPhs9kf0GEnkYZLtpyqHLuSPL+bImQ2NZXLP+nOVZda52/VIxsq8GZv4qtTnR
MIME-Version: 1.0
X-Received: by 10.112.16.1 with SMTP id b1mr559537lbd.39.1425670621054; Fri, 06 Mar 2015 11:37:01 -0800 (PST)
Received: by 10.112.60.170 with HTTP; Fri, 6 Mar 2015 11:37:00 -0800 (PST)
In-Reply-To: <54F9FDFA.2030405@redbarn.org>
References: <20150306145217.GA8959@nic.fr> <54F9C29E.9040408@jive.com> <54F9F90D.1020806@redbarn.org> <54F9FCD3.7010204@jive.com> <54F9FDFA.2030405@redbarn.org>
Date: Fri, 06 Mar 2015 14:37:00 -0500
Message-ID: <CA+nkc8AyOvMwpoXQYmubxmWjKvkQwXYr1QaLPOoA1E-ahpV7wA@mail.gmail.com>
From: Bob Harold <rharolde@umich.edu>
To: Paul Vixie <paul@redbarn.org>
Content-Type: multipart/related; boundary="001a11c3cd58ef64b00510a3ce7f"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/cGCfoqydHUgvdUP7xtivyY8DvvE>
Cc: IETF DNSOP WG <dnsop@ietf.org>
Subject: Re: [DNSOP] More work for DNSOP :-)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Mar 2015 19:37:13 -0000
I would be concerned about blocking RD=0 (non-recursive). That would prevent me from check to be sure an entry was NOT in the cache, in some DNS server my clients are using. That would make troubleshooting more difficult. Let's not automatically include that in some group to get easily blocked. A separate command to block RD=0 is fine, if someone chooses to use it, to make life difficult for others, that is their choice, but don't recommend it or make it part of a group. -- Bob Harold hostmaster, UMnet, ITcom Information and Technology Services (ITS) rharolde@umich.edu 734-647-6524 desk On Fri, Mar 6, 2015 at 2:20 PM, Paul Vixie <paul@redbarn.org> wrote: > > > Simon Perreault <sperreault@jive.com> > Friday, March 06, 2015 11:15 AM > Le 2015-03-06 13:59, Paul Vixie a écrit : > > > like RD=0 sent to a recursive-only non-authoritative > name server, its intended purpose is helping other people learn things > about your name server state that you get no direct benefit from exposing. > > ... > > > Full agreement. > > All of that would not be so bad if ANY did not appear to work. Mozilla, > and others, would not have used ANY if it had not appeared to work. That's > why ANY is so subversive. > > Let's break it significantly so it doesn't appear to work anymore. > > > i now realize that the draft should cover "meta queries" in general, > including RD=0 to a recursive server, AXFR and IXFR, and ANY of course, and > whatever else we can come up with. and the recommendation should be to > place these query types behind some access control mechanism, to prevent > them from being used in normal DNS operations, but to support their use for > diagnostic or other close-relationship activities (zone transfers). > > -- > Paul Vixie > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > >
- Re: [DNSOP] More work for DNSOP :-) Andrew Sullivan
- [DNSOP] More work for DNSOP :-) Stephane Bortzmeyer
- Re: [DNSOP] More work for DNSOP :-) Simon Perreault
- Re: [DNSOP] More work for DNSOP :-) Edward Lewis
- Re: [DNSOP] More work for DNSOP :-) Marcus Grando
- Re: [DNSOP] More work for DNSOP :-) Stephane Bortzmeyer
- Re: [DNSOP] More work for DNSOP :-) Paul Vixie
- Re: [DNSOP] More work for DNSOP :-) Alejandro Acosta
- Re: [DNSOP] More work for DNSOP :-) Simon Perreault
- Re: [DNSOP] More work for DNSOP :-) Paul Vixie
- Re: [DNSOP] More work for DNSOP :-) Edward Lewis
- Re: [DNSOP] More work for DNSOP :-) Paul Vixie
- Re: [DNSOP] More work for DNSOP :-) Bob Harold
- Re: [DNSOP] More work for DNSOP :-) Paul Vixie
- Re: [DNSOP] More work for DNSOP :-) Dan York
- Re: [DNSOP] More work for DNSOP :-) Evan Hunt
- Re: [DNSOP] More work for DNSOP :-) Paul Vixie
- Re: [DNSOP] More work for DNSOP :-) Paul Wouters
- Re: [DNSOP] More work for DNSOP :-) Paul Vixie
- Re: [DNSOP] More work for DNSOP :-) Paul Wouters
- Re: [DNSOP] More work for DNSOP :-) Paul Vixie
- Re: [DNSOP] More work for DNSOP :-) Paul Vixie
- Re: [DNSOP] More work for DNSOP :-) Tony Finch
- Re: [DNSOP] More work for DNSOP :-) Olafur Gudmundsson
- Re: [DNSOP] More work for DNSOP :-) Paul Hoffman
- Re: [DNSOP] More work for DNSOP :-) Andreas Gustafsson
- Re: [DNSOP] More work for DNSOP :-) Tony Finch
- Re: [DNSOP] More work for DNSOP :-) Stephane Bortzmeyer
- [DNSOP] Why no more meta-queries? (Was: More work… Stephane Bortzmeyer
- Re: [DNSOP] More work for DNSOP :-) Paul Hoffman
- Re: [DNSOP] Why no more meta-queries? (Was: More … Ray Bellis
- Re: [DNSOP] More work for DNSOP :-) Olafur Gudmundsson
- Re: [DNSOP] Why no more meta-queries? (Was: More … Shumon Huque
- Re: [DNSOP] Why no more meta-queries? (Was: More … Robert Edmonds
- Re: [DNSOP] Why no more meta-queries? (Was: More … Shumon Huque
- Re: [DNSOP] Why no more meta-queries? (Was: More … Shumon Huque
- Re: [DNSOP] Why no more meta-queries? (Was: More … W.C.A. Wijngaards
- Re: [DNSOP] Why no more meta-queries? (Was: More … Shumon Huque