On 2015-10-01 12:13+0100 Dick Franks <rwfra...@acm.org> wrote: > Dick Franks > ________________________ > > > On 1 October 2015 at 11:12, Shane Kerr <sh...@time-travellers.org> wrote: > > > > > In the case where people just want to reduce the damage of ANY queries > > in reflection attacks, I quite like the PowerDNS option of forcing ANY > > queries to TCP via truncation. I'm not sure if this has been documented > > in any RFC, but if not then perhaps it bears mentioning too? > > > > That rests on two assumptions: > > 1) that damage limitation from reflection attacks is the primary concern > here, which appears no longer to be the case.
The draft documents amplification attacks: ANY queries are also frequently used to exploit the amplification potential of DNS servers using spoofed source addresses and UDP transport (see [RFC5358]). Having the ability to return small responses to such queries makes DNS servers less attractive amplifiers. Which is why I mention it. > 2) that there is some plausible reason for doing ANY queries, in which case > it would be interesting to know what that might be. The entire draft presumes some plausible reason for doing ANY queries, otherwise it would just say "we hereby deprecate ANY queries". :P In fact the start of the motivations section tries to address this: ANY queries are legitimately used for debugging and checking the state of a DNS server for a particular owner name. I'm not sure I totally agree, since I have never had occasion to use an ANY query in anger, but some people seem really attached to it. Cheers, -- Shane _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop