Proposal for using NAPTR/URI records
Nico Williams
nico at cryptonector.com
Thu Feb 26 14:20:07 EST 2015
On Thu, Feb 26, 2015 at 06:02:11PM +0100, Petr Spacek wrote:
> I forgot to comment on this:
> QTYPE=ANY is unreliable because admins are disabling it in hope that
> it will mitigate DNS-amplified DDoS attacks. (It would be better to
> implement source-address filtering but what you can do ...)
I see, and it's probably a good idea, but in a DNSSEC world this is
equivalent to timing out, no?
> Unfortunately I do not have any data at hand but I believe that Viktor
> Dukhovni or other folks interested in DNS and mail server could add
> some details.
I'll ask him.
> Maybe this whole discussion should be moved to IETF dnsop mailing
> list? After all, there is nothing Kerberos-specific, all the questions
> seems to be about DNS service discovery.
Well, but there is something for KITTEN WG as well, since there'd be new
requirements for KDC operators and -likely, or at least recommendations-
for client implementors.
I agree that dnsop is probably the better venue. It's definitely
getting to the point where we should go ask for expert DNS advice, and
NOTE WELL.
Nico
--
More information about the krbdev
mailing list