This draft is an old-school "00" - so I'll not get into nits. First - what is an "upstream Auth server"? Asking in the sense that perhaps you mean to say that the requestor ought to assume all sources for the domain name would return the same. (I.e., don't try another address.)
Second - the document lacks needed justification/trade off discussion. I'll take a moment to lay out my thoughts on this. What good is the ANY query today? 1) The one use case is to retrieve un-expected records at a domain name for which AXFR is not available. (An exhaustive search is possible, but would require 64K queries which is arguably worse than what we have now - at it's worst.) All other uses of the ANY query can be covered, reasonably, by other means. (Having an AXFR of the zone for one, or a look at the database driving the configuration.) How is the ANY query harmful? 1) It contributes, not uniquely, to the ease with which amplification attacks can make use of DNS servers to launch an attack on a third party. While it is true that any large response can accomplish this, ANY make is it "worse" but perhaps not incrementally significantly. 2) It has been proven to be misunderstood because it is the one query type that cannot guarantee coherence. Asking a cache with partial set of the records of a domain name will give that subset, even with DNSSEC. Beyond being used in a confusing manner, there are cases where implementers confusion is apparent in traffic loads. 3) In cases where the responses for certain RRtypes are environment-dependent, assembling the correct response is difficult. To keep this story short, yadda, yadda, yadda, the need to reply to ANY in this way gets in the way of exploring options in this space. (This description might take the longest to document.)
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
