Re: [DNSOP] More work for DNSOP :-)

Tony Finch <fanf2@cam.ac.uk> Sat, 07 March 2015 21:36 UTC

Return-Path: <fanf2@cam.ac.uk>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D537F1A03A9 for <dnsop@ietfa.amsl.com>; Sat, 7 Mar 2015 13:36:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XCQCrgv1mCN5 for <dnsop@ietfa.amsl.com>; Sat, 7 Mar 2015 13:36:26 -0800 (PST)
Received: from ppsw-40.csi.cam.ac.uk (ppsw-40.csi.cam.ac.uk [131.111.8.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F7D51A0092 for <dnsop@ietf.org>; Sat, 7 Mar 2015 13:36:26 -0800 (PST)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from host86-129-223-215.range86-129.btcentralplus.com ([86.129.223.215]:64627 helo=[192.168.1.107]) by ppsw-40.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.156]:587) with esmtpsa (PLAIN:fanf2) (TLSv1:DHE-RSA-AES256-SHA:256) id 1YUMOV-0007Jo-jf (Exim 4.82_3-c0e5623) (return-path <fanf2@cam.ac.uk>); Sat, 07 Mar 2015 21:36:23 +0000
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (1.0)
From: Tony Finch <fanf2@cam.ac.uk>
X-Mailer: iPhone Mail (12B466)
In-Reply-To: <CA+nkc8AyOvMwpoXQYmubxmWjKvkQwXYr1QaLPOoA1E-ahpV7wA@mail.gmail.com>
Date: Sat, 7 Mar 2015 21:36:22 +0000
Content-Transfer-Encoding: quoted-printable
Message-Id: <2C465FAA-166E-4BF0-97BB-20905AC4BFF4@cam.ac.uk>
References: <20150306145217.GA8959@nic.fr> <54F9C29E.9040408@jive.com> <54F9F90D.1020806@redbarn.org> <54F9FCD3.7010204@jive.com> <54F9FDFA.2030405@redbarn.org> <CA+nkc8AyOvMwpoXQYmubxmWjKvkQwXYr1QaLPOoA1E-ahpV7wA@mail.gmail.com>
To: Bob Harold <rharolde@umich.edu>
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/gq2NpYGrv8meUoqlOhorpNY_h0Q>
X-Mailman-Approved-At: Sat, 07 Mar 2015 13:53:32 -0800
Cc: IETF DNSOP WG <dnsop@ietf.org>, Paul Vixie <paul@redbarn.org>
Subject: Re: [DNSOP] More work for DNSOP :-)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Mar 2015 21:36:28 -0000

> On 6 Mar 2015, at 19:37, Bob Harold <rharolde@umich.edu> wrote:
> 
> I would be concerned about blocking RD=0 (non-recursive).  That would prevent me from check to be sure an entry was NOT in the cache, in some DNS server my clients are using. 

I thought cache probing was considered an unfortunate information leak :-)

You can block rd=0 in BIND using a view with a match-recursive-only directive. So I think the only missing ACL is for ANY (and the similar RRSIG).

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at