Hi Olafur, please see below.
> Am 13.09.2018 um 00:02 schrieb Ólafur Guðmundsson <ola...@cloudflare.com>: > > > > On Mon, Sep 10, 2018 at 11:27 PM, Mirja Kühlewind <i...@kuehlewind.net> wrote: > Mirja Kühlewind has entered the following ballot position for > draft-ietf-dnsop-refuse-any-07: Yes > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-dnsop-refuse-any/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > I'm wondering if it would make sense to provide stronger guidance that the > conventional ANY response SHOULD be provided if TCP is used as TCP already > provides a retrun routability proof...? Also maybe provide a refernce to > RFC7766? > > This has nothing to do with "retrun routability" if big answers are given to > resolver via TCP then the resolver can be used as amplifier and there > Millions of those on the net. With TCP you usually set up a TCP connection (3-way handshake) then send the request on that connection and get the reply on that connection. You can not change the IP address in the mean time. So there should not be that amplification attack anymore. That was what I was saying. > > IMHO the only time big ANY answer CAN be returned is when the connection is > authenticated and approved. Not sure what you mean by „approved" but I guess that is what TCP gives you. If you really need authentication you’d need to use TLS but not sure why that would help. > > > And one smallish comment: Would it make sense to refer > draft-ietf-dnsop-terminology-bis-09 (or actually the soon to be new RFC) > instead of RFC7719? > > > Hope this happens by RFC-editor or in AUth48 It will only happen if you replace [RFC7719] which [draft-ietf-dnsop-terminology-bis-09] because then the RFC editor knows that there is a dependency and will wait with the publication until draft-ietf-dnsop-terminology-bis-09 has an RFC number and then replace automatically [draft-ietf-dnsop-terminology-bis-09] with the RFC-to-be. Mirja > > Olafur > > > > > -- > Ólafur Gudmundsson | Engineering Director > www.cloudflare.com blog.cloudflare.com _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
