Re: [DNSOP] More work for DNSOP :-)

Bob Harold <rharolde@umich.edu> Fri, 06 March 2015 19:37 UTC

Return-Path: <rharolde@umich.edu>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 422541A1DFA for <dnsop@ietfa.amsl.com>; Fri, 6 Mar 2015 11:37:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.477
X-Spam-Level:
X-Spam-Status: No, score=-1.477 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, GB_ABOUTYOU=0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xT5zXvhQ6EAh for <dnsop@ietfa.amsl.com>; Fri, 6 Mar 2015 11:37:10 -0800 (PST)
Received: from mail-la0-f54.google.com (mail-la0-f54.google.com [209.85.215.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 962691A6FEB for <dnsop@ietf.org>; Fri, 6 Mar 2015 11:37:02 -0800 (PST)
Received: by labgm9 with SMTP id gm9so20066710lab.8 for <dnsop@ietf.org>; Fri, 06 Mar 2015 11:37:01 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=JBLCgCRYyAuwIqsMo8AVi2dIWZFzGmbeYfwOPbyed5c=; b=SU6AgGRfM0/miu/hb0d51vPJt2LyTavDkmkLuPdsBpO0t8AZKvVy0vWUzK5MF3qZa8 NxYkFi/RI2HBzQj8P9EdLXG2jOmPLfElAnm/xFjGryR5bjsTT8PNjza2NM2/iLc581/1 6UXMTSBkZcAklg4mfowbc5n9czWc6iStbJkuevjrM2mr5XxIMVEZ+92vQQSh8WYmT1kd SvgP9LHsq/XcAjgtpsGTPhvPDPe3i6oCNed3L46iZbI9RUdw1MXjjc1oagFxi+mc5dJx N/mdxEgaH0PnK2kG1fzeQ6uq3j6/YakSPf7AY898dsrn1Mn3NLf6+rn8qF8rUkff8ajM QZ7w==
X-Gm-Message-State: ALoCoQkipZV3aLLWPhs9kf0GEnkYZLtpyqHLuSPL+bImQ2NZXLP+nOVZda52/VIxsq8GZv4qtTnR
MIME-Version: 1.0
X-Received: by 10.112.16.1 with SMTP id b1mr559537lbd.39.1425670621054; Fri, 06 Mar 2015 11:37:01 -0800 (PST)
Received: by 10.112.60.170 with HTTP; Fri, 6 Mar 2015 11:37:00 -0800 (PST)
In-Reply-To: <54F9FDFA.2030405@redbarn.org>
References: <20150306145217.GA8959@nic.fr> <54F9C29E.9040408@jive.com> <54F9F90D.1020806@redbarn.org> <54F9FCD3.7010204@jive.com> <54F9FDFA.2030405@redbarn.org>
Date: Fri, 6 Mar 2015 14:37:00 -0500
Message-ID: <CA+nkc8AyOvMwpoXQYmubxmWjKvkQwXYr1QaLPOoA1E-ahpV7wA@mail.gmail.com>
From: Bob Harold <rharolde@umich.edu>
To: Paul Vixie <paul@redbarn.org>
Content-Type: multipart/related; boundary=001a11c3cd58ef64b00510a3ce7f
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/cGCfoqydHUgvdUP7xtivyY8DvvE>
Cc: IETF DNSOP WG <dnsop@ietf.org>
Subject: Re: [DNSOP] More work for DNSOP :-)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Mar 2015 19:37:13 -0000

I would be concerned about blocking RD=0 (non-recursive).  That would
prevent me from check to be sure an entry was NOT in the cache, in some DNS
server my clients are using. That would make troubleshooting more
difficult.  Let's not automatically include that in some group to get
easily blocked.  A separate command to block RD=0 is fine, if someone
chooses to use it, to make life difficult for others, that is their choice,
but don't recommend it or make it part of a group.



-- 
Bob Harold
hostmaster, UMnet, ITcom
Information and Technology Services (ITS)
rharolde@umich.edu
734-647-6524 desk

On Fri, Mar 6, 2015 at 2:20 PM, Paul Vixie <paul@redbarn.org> wrote:

>
>
>   Simon Perreault <sperreault@jive.com>
>  Friday, March 06, 2015 11:15 AM
> Le 2015-03-06 13:59, Paul Vixie a écrit :
>
>
> like RD=0 sent to a recursive-only non-authoritative
> name server, its intended purpose is helping other people learn things
> about your name server state that you get no direct benefit from exposing.
>
> ...
>
>
> Full agreement.
>
> All of that would not be so bad if ANY did not appear to work. Mozilla,
> and others, would not have used ANY if it had not appeared to work. That's
> why ANY is so subversive.
>
> Let's break it significantly so it doesn't appear to work anymore.
>
>
> i now realize that the draft should cover "meta queries" in general,
> including RD=0 to a recursive server, AXFR and IXFR, and ANY of course, and
> whatever else we can come up with. and the recommendation should be to
> place these query types behind some access control mechanism, to prevent
> them from being used in normal DNS operations, but to support their use for
> diagnostic or other close-relationship activities (zone transfers).
>
> --
> Paul Vixie
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>
>