Paul Wouters wrote: > On Tue, 17 Mar 2015, Yunhong Gu wrote: > >> The reason that this response can be used for an amplification attack >> is its size, not the ANY type. A responses with 200 A records can be >> used for the same purpose. The (even deeper) root cause is the use of >> UDP in DNS protocol. I just do not think banning ANY touches any of >> these fundamental issues. > > Right, so require tcp or eastlake cookies,
that would protect third parties, but not the server itself. > or allow padding the ANY > request so the request/response ratio is close to 1 before allowing > the answer. that would not prevent the unfortunate information leak that allows third parties to scan our caches. > Make the dig command default to tcp. That should cover > the vast majority of valid ANY queries. my proposal is, limit ANY to a selected set of source-ip addresses, as is commonly done with AXFR/IXFR. -- Paul Vixie
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
