Proposal for using NAPTR/URI records
pspacek at redhat.com
Fri Feb 27 08:58:33 EST 2015
On 26.2.2015 20:20, Nico Williams wrote:
> On Thu, Feb 26, 2015 at 06:02:11PM +0100, Petr Spacek wrote:
>> I forgot to comment on this:
>> QTYPE=ANY is unreliable because admins are disabling it in hope that
>> it will mitigate DNS-amplified DDoS attacks. (It would be better to
>> implement source-address filtering but what you can do ...)
> I see, and it's probably a good idea, but in a DNSSEC world this is
> equivalent to timing out, no?
There are some 'legal' options how to avoid answering QTYPE=ANY queries:
Either send REFUSED to the client or set TC=1 in the answer and force client
to re-try over TCP.
Anyway, Firefox folks started an interesting (and possibly unintentional)
experiment with ANY queries so we can watch how it works in practice.
Petr Spacek @ Red Hat
>> Unfortunately I do not have any data at hand but I believe that Viktor
>> Dukhovni or other folks interested in DNS and mail server could add
>> some details.
> I'll ask him.
>> Maybe this whole discussion should be moved to IETF dnsop mailing
>> list? After all, there is nothing Kerberos-specific, all the questions
>> seems to be about DNS service discovery.
> Well, but there is something for KITTEN WG as well, since there'd be new
> requirements for KDC operators and -likely, or at least recommendations-
> for client implementors.
> I agree that dnsop is probably the better venue. It's definitely
> getting to the point where we should go ask for expert DNS advice, and
> NOTE WELL.
More information about the krbdev