> Brian Dickson <mailto:brian.peter.dick...@gmail.com> > Sunday, March 08, 2015 2:55 PM > Hey, everyone, > > Given the diagnostic value of "any" (and similarly "RRSIG" et al), I > would prefer deprecation of only the UDP version, via mechanisms that > are "dig"-friendly.
alas, in a post-snowden world, that's just not going to be enough. > > E.g. return TC=1 (and minimal response) instead, to trigger TCP retry. > > It throws out the bath water, but keeps the baby. > > I am guessing here, but would this be easy enough to implement? your preference for leaving TCP open implies that maybe you think restricting or deprecating meta-data queries has something to do with reflection/amplification defense. it does not, and any language to that effect will be removed from the next revision of olafur's draft. moreover, the problem of metadata queries is that anything usable for diagnostics is also useful, in the same way and to the same degree, for surveillance. queries for meta-data are overt information leaks. the default MUST be that they are not answered, though the default SHOULD be override-able by TSIG or client-ip or similar access control mechanisms. -- Paul Vixie
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
