> Paul Wouters <mailto:p...@nohats.ca> > Wednesday, March 18, 2015 6:58 AM > On Wed, 18 Mar 2015, Paul Vixie wrote: > > > >> my proposal is, limit ANY to a selected set of source-ip addresses, >> as is commonly done with AXFR/IXFR. > > Which I answered before by saying that is basically killing the ANY > query. The proposed solution merely pretends to not kill it by saying > "acl".
i don't think there's any pretense here about not wanting to kill, or not killing, ANY. the history of DNS is replete with examples of information leaks which had to be stopped, either by ad-hoc action or by standards action. limiting who can do zone transfers was first (BIND4 "King James Edition", 1989-ish). preventing DNSSEC zone walking was next (DNSEXT, NSEC3, 2001-2014). now it's ANY. many things which made sense on an academic research Internet do not make sense on a world-wide commercial internet. we need a document that says "If you don't want to answer ANY, here's how to do it interoperably." we don't need to say "you should not answer ANY", but we do need to say "if you want to query for ANY, here's what might happen." that, sir, is a killing. we are killing ANY. there's no pretense. -- Paul Vixie
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
