Greetings again. The current draft has a few issues that should be resolved before the WG decides whether or not to take on this work.
The following statement seems fundamental to creating the new mechanism in the draft: The ANY meta query was defined for debugging purposes mainly against resolvers. However, there is nothing in RFC 1034 or 1035 that supports that statement. The following two sentences have the same problem: There have been widespread misunderstanding as to what the query is supposed to do and when it is approriate. The query is intented for testing what records for a particular name a resolver has in its cache. Nothing in 1034 or 1035 indicate "debugging", nor that the response for a query of QTYPE=ANY has anything to do with the contents of the cache. The document later says: By default the implemenations SHOULD be restrict it to localhost via ACL. ...with no support for the reason for the "SHOULD". No one has shown damage from the current default of allowing ANY queries. Yes, they might reveal data that a particular server operator doesn't want to release, and it is fine for those operators to use an ACL, but this "SHOULD" applies to all operators without justification, at least for ANY or RRSIG. Proposal: remove the unsupported justifications involving ANY, and make the default restrictions for ANY and RRSIG "MAY" level. --Paul Hoffman _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
