Re: [DNSOP] Suggestion for "any" - TCP only

2015-03-10 Thread Hugo Maxwell Connery
: Paul Wouters Cc: dnsop; Brian Dickson Subject: Re: [DNSOP] Suggestion for "any" - TCP only [cid:part1.04050505.05010300@redbarn.org] Paul Wouters<mailto:p...@nohats.ca> Monday, March 09, 2015 10:02 PM On Sun, 8 Mar 2015, Paul Vixie wrote: So why are we proposing to ACL the A

Re: [DNSOP] Suggestion for "any" - TCP only

2015-03-09 Thread Paul Vixie
> Paul Wouters > Monday, March 09, 2015 10:02 PM > On Sun, 8 Mar 2015, Paul Vixie wrote: > >>> So why are we proposing to ACL the ANY queries again? >> >> because people like me with dig-based diagnostic tools want to be able >> to run ANY queries against our own servers,

Re: [DNSOP] Suggestion for "any" - TCP only

2015-03-09 Thread Paul Wouters
On Sun, 8 Mar 2015, Paul Vixie wrote: So why are we proposing to ACL the ANY queries again? because people like me with dig-based diagnostic tools want to be able to run ANY queries against our own servers, from our NOC/SOC. Fair enough. Cloudfare is not doing this for privacy reasons. So

Re: [DNSOP] Suggestion for "any" - TCP only

2015-03-09 Thread Oliver Peter
On Sun, Mar 08, 2015 at 10:27:11PM -0700, Paul Vixie wrote: > > > > Paul Wouters > > Sunday, March 08, 2015 9:03 PM > > On Sun, 8 Mar 2015, Paul Vixie wrote: > > > > > > So why are we proposing to ACL the ANY queries again? > > because people like me with dig-based diagno

Re: [DNSOP] Suggestion for "any" - TCP only

2015-03-08 Thread Paul Vixie
> Paul Wouters > Sunday, March 08, 2015 9:03 PM > On Sun, 8 Mar 2015, Paul Vixie wrote: > > > So why are we proposing to ACL the ANY queries again? because people like me with dig-based diagnostic tools want to be able to run ANY queries against our own servers, from our

Re: [DNSOP] Suggestion for "any" - TCP only

2015-03-08 Thread Paul Wouters
On Sun, 8 Mar 2015, Paul Vixie wrote: again, the next revision of olafur's document will remove all mention of amplification/reflection. that meme is dead. So why are we proposing to ACL the ANY queries again? If you put ANY queries under an ACL, it means you are limiting the ANY query diagn

Re: [DNSOP] Suggestion for "any" - TCP only

2015-03-08 Thread Paul Vixie
Paul Wouters wrote: > On Sun, 8 Mar 2015, Brian Dickson wrote: > >> Given the diagnostic value of "any" (and similarly "RRSIG" et al), I >> would prefer deprecation of only the UDP version, via mechanisms >> that are "dig"-friendly. > > A better description would be to require "source IP verifica

Re: [DNSOP] Suggestion for "any" - TCP only

2015-03-08 Thread Paul Wouters
On Sun, 8 Mar 2015, Brian Dickson wrote: Given the diagnostic value of "any" (and similarly "RRSIG" et al), I would prefer deprecation of only the UDP version, via mechanisms that are "dig"-friendly. A better description would be to require "source IP verification", so that eastlake-cookies a

Re: [DNSOP] Suggestion for "any" - TCP only

2015-03-08 Thread Paul Vixie
> Brian Dickson > Sunday, March 08, 2015 2:55 PM > Hey, everyone, > > Given the diagnostic value of "any" (and similarly "RRSIG" et al), I > would prefer deprecation of only the UDP version, via mechanisms that > are "dig"-friendly. alas, in a post-snowden

Re: [DNSOP] Suggestion for "any" - TCP only

2015-03-08 Thread Ralf Weber
Moin! On Sun, Mar 08, 2015 at 02:55:37PM -0700, Brian Dickson wrote: > Hey, everyone, > > Given the diagnostic value of "any" (and similarly "RRSIG" et al), I would > prefer deprecation of only the UDP version, via mechanisms that are > "dig"-friendly. I still fail to see the diagnostic value of