Brian Dickson wrote:
>
> Would it be feasible to limit the behavior of "refuse-any" returning
> "partial" UDP responses, to situations where EDNS with DO=1 is used?
No, this is a defence mechanism, so it needs to cope with uncooperative
clients.
> Older resolvers
>
> Richard Gibson wrote:
> > Because without such a signal, humans using ANY for legitimate diagnostic
> > purposes have no means of differentiating section 4.1/4.3 "subset"
> > responses from conventional responses where there just happen to be only
> a
> > small number of RRSets at the queried
Vernon Schryver wrote:
> > From: Tony Finch
>
> > One of the points of minimal-any is that the answer is not truncated
> > because you do not want clients to automatically retry over TCP.
> > This is
> > to handle situations where many third-party recursive
In message <201702132243.v1dmhnkr062...@calcite.rhyolite.com>, Vernon Schryver
writes:
> > From: Tony Finch
>
> > One of the points of minimal-any is that the answer is not truncated
> > because you do not want clients to automatically retry over TCP. This is
> > to handle
> From: Tony Finch
> One of the points of minimal-any is that the answer is not truncated
> because you do not want clients to automatically retry over TCP. This is
> to handle situations where many third-party recursive servers are under
> attack using one of your names, so the
Mark Andrews wrote:
>
> We don't need any new signalling. If the answer is truncated you
> set tc=1. This works with all existing clients.
One of the points of minimal-any is that the answer is not truncated
because you do not want clients to automatically retry over TCP.
We don't need any new signalling. If the answer is truncated you
set tc=1. This works with all existing clients.
If there is only a single RRset + RRSIGs then you don't get tc=1
except for traditional space reasons.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
> On Feb 13, 2017, at 10:15 AM, Richard Gibson wrote:
>
> On Mon, Feb 13, 2017 at 1:02 PM, Wessels, Duane wrote:
> Tools like dig, when asked to issue an ANY query over UDP can:
>
> 1) fail with "ANY over UDP is deprecated", or
>
> That's not true,
On Mon, Feb 13, 2017 at 1:02 PM, Wessels, Duane
wrote:
> Tools like dig, when asked to issue an ANY query over UDP can:
>
> 1) fail with "ANY over UDP is deprecated", or
>
That's not true, though, and tools have no way of knowing whether or not
such a failure is
On Mon, Feb 13, 2017 at 9:50 AM, Richard Gibson wrote:
> On Mon, Feb 13, 2017 at 12:38 PM, Robert Edmonds wrote:
>
>> You think this would actually provide any sort of useful information? No
>> operator would understand what "MBZ: 0x" means without
On Mon, Feb 13, 2017 at 12:38 PM, Robert Edmonds wrote:
> You think this would actually provide any sort of useful information? No
> operator would understand what "MBZ: 0x" means without re-training,
> and if you're re-training operators you may as well point them to this
On Mon, Feb 13, 2017 at 11:46 AM, Tony Finch wrote:
> OK. But does an EDNS flag help? What if you are using old tools?
If you are using old tools, then you don't get new conveniences (the same
is true of using OPT class to specify a maximum payload size exceeding 512
bytes,
Richard Gibson wrote:
>
> The pitfall comes from unexamined muscle-memory assumptions when inspecting
> a DNS response, so none of those methods avoid it. They're expecting people
> to remember that longstanding behavior has changed without providing any
> clue about it.
OK. But
On Mon, Feb 13, 2017 at 8:03 AM, Tony Finch wrote:
> There are several ways to avoid this pitfall:
>
> Use TCP
>
> Look for an NSEC(3) record
>
> Query for the specific types you want to know about
The pitfall comes from unexamined muscle-memory assumptions when inspecting
a DNS
Richard Gibson wrote:
> Because without such a signal, humans using ANY for legitimate diagnostic
> purposes have no means of differentiating section 4.1/4.3 "subset"
> responses from conventional responses where there just happen to be only a
> small number of RRSets at the
Because without such a signal, humans using ANY for legitimate diagnostic
purposes have no means of differentiating section 4.1/4.3 "subset"
responses from conventional responses where there just happen to be only a
small number of RRSets at the queried name, encouraging (or at least doing
nothing
Thank you for your comments
Q: why do you think it is useful to complicate things with a EDNS0 flag ?
Olafur
On Thu, Feb 9, 2017 at 8:47 PM, Richard Gibson wrote:
> With full realization that this is coming very late in the game, we had a
> great deal of internal
With full realization that this is coming very late in the game, we had a
great deal of internal conversation within Dyn about implementing
refuse-any, and came away unsatisfied with both the "subset" and "HINFO"
approaches—the latter because of reasons that have already been covered,
and the
This version addresses all the comments that the chair's determined needed
addressing.
Olafur
On Wed, Feb 8, 2017 at 9:56 PM, wrote:
>
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> This draft is a work item of the Domain Name
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Domain Name System Operations of the IETF.
Title : Providing Minimal-Sized Responses to DNS Queries that
have QTYPE=ANY
Authors : Joe Abley
20 matches
Mail list logo