I hadn't really considered that not allowing RD=0 would cause any major problems, simply because of all the traffic i have monitored coming in to these current servers and those I managed at Telecom, the number of RD=0 queries was relatively tiny, so much so that it was in the margin of error:)
The operating theory we are currently under is allowing cache "snooping" could potentially allow an attack to enumerate what we hold.
Given that the cache at any point in time is full of a rather large number of entries this premise may not stack up.
Having said that, i havent seen any negative impact, or had the phones ringing due to this policy being in place.
Other than to say we couldn't do RD=0 queries to validate what the cache held.
Paul
On 18/09/2013, at 2:10 AM, Joe Abley
On 2013-09-17, at 09:35, Phil Regnauld
wrote: Now I do, but I find it odd that the motivation would be to let third party snoop one's cache. If anything, I'd just replace allow with allow_snoop for existing clients. Anything else sounds dangerous.
Agreed. It seems slightly bizarre to me that "allow" doesn't allow RD=0 queries. Perhaps a better token than "allow" for the config file would be "allow_but_break_in_unexpected_ways".
Joe _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog