Re: Allow-Query=any
Yah, I guess it does kinda :-) I seem to remember Olafur or Marek admitted that including the text was an ugly, temporary kludge, and provided some "cover" so that is was more clear that this was the intended behavior, and not that e.g they had just not fully implemented ANY (as many DNS load-balancers / middleboxes seem to do). Once this becomes common practice the HINFO can go to null. Personally I think that they should have instead: A: inserted naughty limericks or B: sold this space off as advertising space. W DISCLAIMER: B is a joke... although huh On Thu, Jan 7, 2016 at 5:05 PM Darcy Kevin (FCA) wrote: > I do find it a little ironic that the HINFO RDATA shown earlier in the > thread, references the "refuse-any" draft, yet, in the selfsame RDATA, > violates one of the "SHOULD"s of the draft: > > "The OS field of the HINFO RDATA SHOULD be set to the null string to > minimise the size of the response." > > Kind of sends a mixed message, don't you think? > > - > Kevin > > -Original Message- > From: bind-users-boun...@lists.isc.org [mailto: > bind-users-boun...@lists.isc.org] On Behalf Of Reindl Harald > Sent: Thursday, January 07, 2016 4:41 PM > To: bind-users@lists.isc.org > Subject: Re: Allow-Query=any > > > Am 07.01.2016 um 22:31 schrieb Warren Kumari: > > Reindl, did you read the draft referred to in the HINFO? ( > > https://datatracker.ietf.org/doc/draft-ietf-dnsop-refuse-any/ ). It > > clearly outlines the reasons that cloudfare is doing this. This > > document was discussed in the DNSOP WG, and was presented at a few > meetings. > > The consensus within the DNSOP WG was to adopt and work on the draft, > > so I object to your characterization of this as "another clueless > > idiot degrading services" at a large company. > > Olafur and Joe (the authors of this) are far from clueless idiots. > > In addition, please try to moderate your tone - people come to the > > BIND Users list for assistance - your argumentative (and often > > insulting) posts are not helpful to building a community > > i did read and understand the reasoning long before this thread as i also > had the RRL patches in production long before they went to stable releases > http://www.tummy.com/blogs/2013/02/20/bindrrl-patched-rpms-available/ > > with RRL and "minimal-responses yes;" the response size/impact of a ANY > query is very limited while that is a completly different reasoning than "I > don't want display all info" > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Allow-Query=any
I do find it a little ironic that the HINFO RDATA shown earlier in the thread, references the "refuse-any" draft, yet, in the selfsame RDATA, violates one of the "SHOULD"s of the draft: "The OS field of the HINFO RDATA SHOULD be set to the null string to minimise the size of the response." Kind of sends a mixed message, don't you think? - Kevin -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Reindl Harald Sent: Thursday, January 07, 2016 4:41 PM To: bind-users@lists.isc.org Subject: Re: Allow-Query=any Am 07.01.2016 um 22:31 schrieb Warren Kumari: > Reindl, did you read the draft referred to in the HINFO? ( > https://datatracker.ietf.org/doc/draft-ietf-dnsop-refuse-any/ ). It > clearly outlines the reasons that cloudfare is doing this. This > document was discussed in the DNSOP WG, and was presented at a few meetings. > The consensus within the DNSOP WG was to adopt and work on the draft, > so I object to your characterization of this as "another clueless > idiot degrading services" at a large company. > Olafur and Joe (the authors of this) are far from clueless idiots. > In addition, please try to moderate your tone - people come to the > BIND Users list for assistance - your argumentative (and often > insulting) posts are not helpful to building a community i did read and understand the reasoning long before this thread as i also had the RRL patches in production long before they went to stable releases http://www.tummy.com/blogs/2013/02/20/bindrrl-patched-rpms-available/ with RRL and "minimal-responses yes;" the response size/impact of a ANY query is very limited while that is a completly different reasoning than "I don't want display all info" ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Allow-Query=any
Warren Kumari wrote: > Olafur and Joe (the authors of this) are far from clueless idiots. +1 > In addition, please try to moderate your tone - people come to the BIND > Users list for assistance - your argumentative (and often insulting) posts > are not helpful to building a community. +1 -- Robert Edmonds ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Allow-Query=any
Am 07.01.2016 um 22:31 schrieb Warren Kumari: Reindl, did you read the draft referred to in the HINFO? ( https://datatracker.ietf.org/doc/draft-ietf-dnsop-refuse-any/ ). It clearly outlines the reasons that cloudfare is doing this. This document was discussed in the DNSOP WG, and was presented at a few meetings. The consensus within the DNSOP WG was to adopt and work on the draft, so I object to your characterization of this as "another clueless idiot degrading services" at a large company. Olafur and Joe (the authors of this) are far from clueless idiots. In addition, please try to moderate your tone - people come to the BIND Users list for assistance - your argumentative (and often insulting) posts are not helpful to building a community i did read and understand the reasoning long before this thread as i also had the RRL patches in production long before they went to stable releases http://www.tummy.com/blogs/2013/02/20/bindrrl-patched-rpms-available/ with RRL and "minimal-responses yes;" the response size/impact of a ANY query is very limited while that is a completly different reasoning than "I don't want display all info" signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Allow-Query=any
On Thu, Jan 7, 2016 at 3:25 PM Reindl Harald wrote: > > > Am 07.01.2016 um 21:18 schrieb G.W. Haywood: > > Hi there, > > > > On Thu, 7 Jan 2016, Reindl Harald wrote: > > > >> ... when somebody wants a information which exists in > >> the DNS he can ask for that information - unconditionally > > you don't get it > > if i want to ask for your SOA or NS-records then i ask for them > > there is *NO POINT* you can prohibit that unless you need a working > nameserver and the only thing you *could* achieve is that i need more > queries than normally needed raising the load on your own namesever > > what would happen if you can achieve it: > > * in the best case no difference > * in the worst case broken clients and degraded service > > prohibit things just for the sake of prohibit them is clueless, > dangerous and unless you have a *real good* reason for your goal you > should ask yourself if you *really* have the knowledge to maintain > public nameservers - sorry - impossible to say that more polite > > > laptop3:~$ >>> dig -t any lloyds.co.uk > > tells me that there is another clueless idiot degrading services as it > often happens - the larger the comapny the more foolish admins > > WHAT do the gain with it? > NOTHING > > Reindl, did you read the draft referred to in the HINFO? ( https://datatracker.ietf.org/doc/draft-ietf-dnsop-refuse-any/ ). It clearly outlines the reasons that cloudfare is doing this. This document was discussed in the DNSOP WG, and was presented at a few meetings. The consensus within the DNSOP WG was to adopt and work on the draft, so I object to your characterization of this as "another clueless idiot degrading services" at a large company. Olafur and Joe (the authors of this) are far from clueless idiots. In addition, please try to moderate your tone - people come to the BIND Users list for assistance - your argumentative (and often insulting) posts are not helpful to building a community. W > > ; <<>> DiG 9.9.5-9+deb8u4-Debian <<>> -t any lloyds.co.uk > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21502 > > ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 1 > > > > ;; OPT PSEUDOSECTION: > > ; EDNS: version: 0, flags:; udp: 4096 > > ;; QUESTION SECTION: > > ;lloyds.co.uk. IN ANY > > > > ;; ANSWER SECTION: > > lloyds.co.uk. 3789IN HINFO "Please stop asking for > > ANY" "See draft-jabley-dnsop-refuse-any" > > lloyds.co.uk. 137094 IN NS dina.ns.cloudflare.com. > > lloyds.co.uk. 137094 IN NS matt.ns.cloudflare.com. > > > > ;; AUTHORITY SECTION: > > lloyds.co.uk. 137094 IN NS matt.ns.cloudflare.com. > > lloyds.co.uk. 137094 IN NS dina.ns.cloudflare.com. > > > > ;; Query time: 54 msec > > ;; SERVER: 192.168.44.72#53(192.168.44.72) > > ;; WHEN: Thu Jan 07 20:17:18 GMT 2016 > > ;; MSG SIZE rcvd: 197 > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Allow-Query=any
Am 07.01.2016 um 21:18 schrieb G.W. Haywood: Hi there, On Thu, 7 Jan 2016, Reindl Harald wrote: ... when somebody wants a information which exists in the DNS he can ask for that information - unconditionally you don't get it if i want to ask for your SOA or NS-records then i ask for them there is *NO POINT* you can prohibit that unless you need a working nameserver and the only thing you *could* achieve is that i need more queries than normally needed raising the load on your own namesever what would happen if you can achieve it: * in the best case no difference * in the worst case broken clients and degraded service prohibit things just for the sake of prohibit them is clueless, dangerous and unless you have a *real good* reason for your goal you should ask yourself if you *really* have the knowledge to maintain public nameservers - sorry - impossible to say that more polite laptop3:~$ >>> dig -t any lloyds.co.uk tells me that there is another clueless idiot degrading services as it often happens - the larger the comapny the more foolish admins WHAT do the gain with it? NOTHING ; <<>> DiG 9.9.5-9+deb8u4-Debian <<>> -t any lloyds.co.uk ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21502 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;lloyds.co.uk. IN ANY ;; ANSWER SECTION: lloyds.co.uk. 3789IN HINFO "Please stop asking for ANY" "See draft-jabley-dnsop-refuse-any" lloyds.co.uk. 137094 IN NS dina.ns.cloudflare.com. lloyds.co.uk. 137094 IN NS matt.ns.cloudflare.com. ;; AUTHORITY SECTION: lloyds.co.uk. 137094 IN NS matt.ns.cloudflare.com. lloyds.co.uk. 137094 IN NS dina.ns.cloudflare.com. ;; Query time: 54 msec ;; SERVER: 192.168.44.72#53(192.168.44.72) ;; WHEN: Thu Jan 07 20:17:18 GMT 2016 ;; MSG SIZE rcvd: 197 signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Allow-Query=any
Hi there, On Thu, 7 Jan 2016, Reindl Harald wrote: ... when somebody wants a information which exists in the DNS he can ask for that information - unconditionally laptop3:~$ >>> dig -t any lloyds.co.uk ; <<>> DiG 9.9.5-9+deb8u4-Debian <<>> -t any lloyds.co.uk ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21502 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;lloyds.co.uk. IN ANY ;; ANSWER SECTION: lloyds.co.uk. 3789IN HINFO "Please stop asking for ANY" "See draft-jabley-dnsop-refuse-any" lloyds.co.uk. 137094 IN NS dina.ns.cloudflare.com. lloyds.co.uk. 137094 IN NS matt.ns.cloudflare.com. ;; AUTHORITY SECTION: lloyds.co.uk. 137094 IN NS matt.ns.cloudflare.com. lloyds.co.uk. 137094 IN NS dina.ns.cloudflare.com. ;; Query time: 54 msec ;; SERVER: 192.168.44.72#53(192.168.44.72) ;; WHEN: Thu Jan 07 20:17:18 GMT 2016 ;; MSG SIZE rcvd: 197 -- 73, Ged. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Allow-Query=any
Am 07.01.2016 um 07:56 schrieb Ejaz: How to control from the DNS bind “Query type Any” such as. If someone does look up with query type =any, results will display the SOA section, mail and Name server information, which I don’t want display all info.. only specific information while what you want makes *zero* sense because you can not hide mandatory infos with "minimal-responses yes;" the responses are way shorter and DNS traffic goes down by around 20% on a auth nameserver because the stripped "ADDITIONAL SECTION" as already explained: when somebody wants a information which exists in the DNS he can ask for that information - unconditionally signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Allow-Query=any
On 07.01.16 09:56, Ejaz wrote: How to control from the DNS bind "Query type Any" such as. If someone does look up with query type =any, results will display the SOA section, mail and Name server information, which I don't want display all info.. only specific information so, instead of providing type "ANY" you want people to flood your server with multiple queries for type? if you have problems, response rate limiting should be better solution. ...I received spam from comnpany with NS hosted at cloudflare that refuses ANY query. I am considering ignoring such domains. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "One World. One Web. One Program." - Microsoft promotional advertisement "Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
