> > are there legitimate reasons to continue supporting ANY queries? Good question.
> They are very useful for debugging. I would regret their > disappearance. What about forcing TCP for ANY requests only? It would > limit ANY requests to people who don't spoof their source IP address. > > I do not know how to force TC for replies to ANY queries. Patches for This will limit the amplification factor (and I was looking for something like this too), but I guess that most of the name servers are trying to put as mutch as possible in the answer packet and setting the TC bit so without an option to reduce the answer packet to a minimum, it will not help mutch. > BIND and nsd are welcome. In the mean time, limiting the outbound size > to something that will probably affect only ANY queries is a > possible workaround: > > BIND: > max-udp-size 1460 I did this, but even than the amplification factor seems to be high enough. One problem is the ANY query (and I'm pretty sure that this is indeed a big problem), but another one is the number of RR at the zone apex. I think it was an engineering fault to place SPF records (and the TXT representation) at the zone appex (Even MX records should be replaced by the more general SRV record). Anyway, personally I do not see the benefit for ANY querys at all. So deprecation is overdue. _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
