On Mon, Mar 09, 2015 at 04:18:12PM +0100, bert hubert wrote: > On Mon, Mar 09, 2015 at 11:08:03AM -0000, D. J. Bernstein wrote: > > My "qmail" software is very widely deployed (on roughly 1 million SMTP > > server IP addresses) and, by default, relies upon ANY queries in a way > > that is guaranteed to work by the mandatory DNS standards. (...) > Do you think I read 4.3.2 wrong? Or is there another RFC that updates the > algorithm?
Thanks to some clarification from Dan, I now understand that one can indeed rely on ANY queries to resolvers to either deliver a CNAME or no CNAME, in which case there is no CNAME. Separately, I fail to see why we actually need to outlaw ANY queries when we can happily TC=1 them. I realize it is nice to do house cleaning in DNS, but I also realize that having a document that says we deprecated ANY queries is not going to change a lot about the real world. People will continue to perform them and expect them to work. A TC=1 answer does not generate any UDP packet amplification that can be used for reflection attacks, and in my experience, TCP/IP performance these days is stunning enough that the few legit ANY queries that come back pose no issue. http://blog.powerdns.com/2013/06/25/simple-tcpip-dns-benchmarking-tool/ has some numbers. Incidentally, our new tool 'dnsdist' [1] implements any-to-tcp as a setting, proving that it could be added to any setup w/o too much work. [1] http://dnsdist.org/ Bert _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
