Re: [DNSOP] I-D Action: draft-ietf-dnsop-refuse-any-04.txt

2017-02-14 Thread Tony Finch
Brian Dickson wrote: > > Would it be feasible to limit the behavior of "refuse-any" returning > "partial" UDP responses, to situations where EDNS with DO=1 is used? No, this is a defence mechanism, so it needs to cope with uncooperative clients. > Older resolvers

Re: [DNSOP] I-D Action: draft-ietf-dnsop-refuse-any-04.txt

2017-02-13 Thread Brian Dickson
> > Richard Gibson wrote: > > Because without such a signal, humans using ANY for legitimate diagnostic > > purposes have no means of differentiating section 4.1/4.3 "subset" > > responses from conventional responses where there just happen to be only > a > > small number of RRSets at the queried

Re: [DNSOP] I-D Action: draft-ietf-dnsop-refuse-any-04.txt

2017-02-13 Thread Tony Finch
Vernon Schryver wrote: > > From: Tony Finch > > > One of the points of minimal-any is that the answer is not truncated > > because you do not want clients to automatically retry over TCP. > > This is > > to handle situations where many third-party recursive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-refuse-any-04.txt

2017-02-13 Thread Mark Andrews
In message <201702132243.v1dmhnkr062...@calcite.rhyolite.com>, Vernon Schryver writes: > > From: Tony Finch > > > One of the points of minimal-any is that the answer is not truncated > > because you do not want clients to automatically retry over TCP. This is > > to handle

Re: [DNSOP] I-D Action: draft-ietf-dnsop-refuse-any-04.txt

2017-02-13 Thread Vernon Schryver
> From: Tony Finch > One of the points of minimal-any is that the answer is not truncated > because you do not want clients to automatically retry over TCP. This is > to handle situations where many third-party recursive servers are under > attack using one of your names, so the

Re: [DNSOP] I-D Action: draft-ietf-dnsop-refuse-any-04.txt

2017-02-13 Thread Tony Finch
Mark Andrews wrote: > > We don't need any new signalling. If the answer is truncated you > set tc=1. This works with all existing clients. One of the points of minimal-any is that the answer is not truncated because you do not want clients to automatically retry over TCP.

Re: [DNSOP] I-D Action: draft-ietf-dnsop-refuse-any-04.txt

2017-02-13 Thread Mark Andrews
We don't need any new signalling. If the answer is truncated you set tc=1. This works with all existing clients. If there is only a single RRset + RRSIGs then you don't get tc=1 except for traditional space reasons. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia

Re: [DNSOP] I-D Action: draft-ietf-dnsop-refuse-any-04.txt

2017-02-13 Thread Wessels, Duane
> On Feb 13, 2017, at 10:15 AM, Richard Gibson wrote: > > On Mon, Feb 13, 2017 at 1:02 PM, Wessels, Duane wrote: > Tools like dig, when asked to issue an ANY query over UDP can: > > 1) fail with "ANY over UDP is deprecated", or > > That's not true,

Re: [DNSOP] I-D Action: draft-ietf-dnsop-refuse-any-04.txt

2017-02-13 Thread Richard Gibson
On Mon, Feb 13, 2017 at 1:02 PM, Wessels, Duane wrote: > Tools like dig, when asked to issue an ANY query over UDP can: > > 1) fail with "ANY over UDP is deprecated", or > That's not true, though, and tools have no way of knowing whether or not such a failure is

Re: [DNSOP] I-D Action: draft-ietf-dnsop-refuse-any-04.txt

2017-02-13 Thread Ólafur Guðmundsson
On Mon, Feb 13, 2017 at 9:50 AM, Richard Gibson wrote: > On Mon, Feb 13, 2017 at 12:38 PM, Robert Edmonds wrote: > >> You think this would actually provide any sort of useful information? No >> operator would understand what "MBZ: 0x" means without

Re: [DNSOP] I-D Action: draft-ietf-dnsop-refuse-any-04.txt

2017-02-13 Thread Richard Gibson
On Mon, Feb 13, 2017 at 12:38 PM, Robert Edmonds wrote: > You think this would actually provide any sort of useful information? No > operator would understand what "MBZ: 0x" means without re-training, > and if you're re-training operators you may as well point them to this

Re: [DNSOP] I-D Action: draft-ietf-dnsop-refuse-any-04.txt

2017-02-13 Thread Richard Gibson
On Mon, Feb 13, 2017 at 11:46 AM, Tony Finch wrote: > OK. But does an EDNS flag help? What if you are using old tools? If you are using old tools, then you don't get new conveniences (the same is true of using OPT class to specify a maximum payload size exceeding 512 bytes,

Re: [DNSOP] I-D Action: draft-ietf-dnsop-refuse-any-04.txt

2017-02-13 Thread Tony Finch
Richard Gibson wrote: > > The pitfall comes from unexamined muscle-memory assumptions when inspecting > a DNS response, so none of those methods avoid it. They're expecting people > to remember that longstanding behavior has changed without providing any > clue about it. OK. But

Re: [DNSOP] I-D Action: draft-ietf-dnsop-refuse-any-04.txt

2017-02-13 Thread Richard Gibson
On Mon, Feb 13, 2017 at 8:03 AM, Tony Finch wrote: > There are several ways to avoid this pitfall: > > Use TCP > > Look for an NSEC(3) record > > Query for the specific types you want to know about The pitfall comes from unexamined muscle-memory assumptions when inspecting a DNS

Re: [DNSOP] I-D Action: draft-ietf-dnsop-refuse-any-04.txt

2017-02-13 Thread Tony Finch
Richard Gibson wrote: > Because without such a signal, humans using ANY for legitimate diagnostic > purposes have no means of differentiating section 4.1/4.3 "subset" > responses from conventional responses where there just happen to be only a > small number of RRSets at the

Re: [DNSOP] I-D Action: draft-ietf-dnsop-refuse-any-04.txt

2017-02-10 Thread Richard Gibson
Because without such a signal, humans using ANY for legitimate diagnostic purposes have no means of differentiating section 4.1/4.3 "subset" responses from conventional responses where there just happen to be only a small number of RRSets at the queried name, encouraging (or at least doing nothing

Re: [DNSOP] I-D Action: draft-ietf-dnsop-refuse-any-04.txt

2017-02-10 Thread Ólafur Guðmundsson
Thank you for your comments Q: why do you think it is useful to complicate things with a EDNS0 flag ? Olafur On Thu, Feb 9, 2017 at 8:47 PM, Richard Gibson wrote: > With full realization that this is coming very late in the game, we had a > great deal of internal

Re: [DNSOP] I-D Action: draft-ietf-dnsop-refuse-any-04.txt

2017-02-09 Thread Richard Gibson
With full realization that this is coming very late in the game, we had a great deal of internal conversation within Dyn about implementing refuse-any, and came away unsatisfied with both the "subset" and "HINFO" approaches—the latter because of reasons that have already been covered, and the

Re: [DNSOP] I-D Action: draft-ietf-dnsop-refuse-any-04.txt

2017-02-08 Thread Ólafur Guðmundsson
This version addresses all the comments that the chair's determined needed addressing. Olafur On Wed, Feb 8, 2017 at 9:56 PM, wrote: > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Domain Name

[DNSOP] I-D Action: draft-ietf-dnsop-refuse-any-04.txt

2017-02-08 Thread internet-drafts
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Domain Name System Operations of the IETF. Title : Providing Minimal-Sized Responses to DNS Queries that have QTYPE=ANY Authors : Joe Abley