On Tue, Jul 7, 2020 at 2:21 PM Brett Delmage <br...@brettdelmage.ca> wrote:
> On Tue, 7 Jul 2020, Tony Finch wrote: > > > Reduce the size of responses to ANY queries, which are a favourite tool > of > > amplification attacks. There's basically no downside to this one, in my > > opinion, but I'm biased because I implemented it. > > > > minimal-any yes; > > Why only reduce and not eliminate? > > Can ANY responses be disabled completely with an option? > > This article at cloudflare > https://blog.cloudflare.com/deprecating-dns-any-meta-query-type/ > states that they have deprecated it because it wasn't being used. They > should know! This was posted over 5 years ago, in 2015. > Cloudflare themselves now implement the "minimal any" behavior described in this spec: https://tools.ietf.org/html/rfc8482 Responding to ANY with NOTIMP, REFUSED, or unknown RCODEs, or not responding at all results in undesirable follow-on behaviour from DNS resolvers (mostly aggressive retries). Shumon. --- $ dig @ns1.cloudflare.com. cloudflare.com. ANY ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54526 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;cloudflare.com. IN ANY ;; ANSWER SECTION: cloudflare.com. 3789 IN HINFO "RFC8482" ""
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
