> Bob Harold <mailto:rharo...@umich.edu> > Friday, March 06, 2015 11:37 AM > I would be concerned about blocking RD=0 (non-recursive). That would > prevent me from check to be sure an entry was NOT in the cache, in > some DNS server my clients are using. That would make troubleshooting > more difficult. Let's not automatically include that in some group to > get easily blocked. A separate command to block RD=0 is fine, if > someone chooses to use it, to make life difficult for others, that is > their choice, but don't recommend it or make it part of a group.
i feel, and share, the pain you're describing. however, we're in a post-snowden era, and any information leaks (such as RD=0 queries to recursive-only servers) have to be reconsidered on the new risk:benefit model. i find that giving every one of my users and customers the ability to find out the presence and if present the TTL of anything in my cache is something more likely to be used against me than to be used for me. the fact that this will make reasonable things like what you're describing also broadly impossible is no different from all the reasonable things that ubiquitous perfect forward secrecy will also make impossible. as you say, fine grained acl's should be the recommendation. but the default ACL for all meta types should be recommended as "nobody". this is further evidence that abuse breeds overcompensation, like with ANY itself. (if mozilla hadn't abused ANY, we would not be having this conversation.) -- Paul Vixie
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop