I would be concerned about blocking RD=0 (non-recursive). That would prevent me from check to be sure an entry was NOT in the cache, in some DNS server my clients are using. That would make troubleshooting more difficult. Let's not automatically include that in some group to get easily blocked. A separate command to block RD=0 is fine, if someone chooses to use it, to make life difficult for others, that is their choice, but don't recommend it or make it part of a group.
-- Bob Harold hostmaster, UMnet, ITcom Information and Technology Services (ITS) rharo...@umich.edu 734-647-6524 desk On Fri, Mar 6, 2015 at 2:20 PM, Paul Vixie <p...@redbarn.org> wrote: > > > Simon Perreault <sperrea...@jive.com> > Friday, March 06, 2015 11:15 AM > Le 2015-03-06 13:59, Paul Vixie a écrit : > > > like RD=0 sent to a recursive-only non-authoritative > name server, its intended purpose is helping other people learn things > about your name server state that you get no direct benefit from exposing. > > ... > > > Full agreement. > > All of that would not be so bad if ANY did not appear to work. Mozilla, > and others, would not have used ANY if it had not appeared to work. That's > why ANY is so subversive. > > Let's break it significantly so it doesn't appear to work anymore. > > > i now realize that the draft should cover "meta queries" in general, > including RD=0 to a recursive server, AXFR and IXFR, and ANY of course, and > whatever else we can come up with. and the recommendation should be to > place these query types behind some access control mechanism, to prevent > them from being used in normal DNS operations, but to support their use for > diagnostic or other close-relationship activities (zone transfers). > > -- > Paul Vixie > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
