Why does checkdnsrr() default to MX??

11 years ago by Sanford Whiteman — view source — reply

unread

ANY (*) requests are key to many DNS amplification attacks and may fail,
even if the RR you want exists when individually requested. Such requests
should be discouraged by clients, IMO. It's disappointing that PHP's
dns_get_record() defaults to ANY.

But more to the point, what is the client-side utility? You are basically
flooding yourself if you make such requests -- what exactly are you going
to do with the TXT records, NS records, the SOAs, the unknown types? This
is just a ton of extraneous data, even if the overall payload is small.

Maybe if you're building a PHP app whose sole purpose is to troubleshoot
DNS. But if so I would sooner fork dig, since most likely you are trying
to show people the results that a non-PHP app would see, so better to avoid
any PHP bugs/specialness and miss any DNS features (such as new RR types
and new DNS extensions).

I don't think there's anything particularly askew in MX being the default
for checkdnsrr() if you think of it as a cut-down generalization of
getdnsmx(). Still I can't remember the last time my PHP apps cared only
about whether an RR existed, not its value (our mail server cares about
that of course when checking blacklists, and we care when we're
troubleshooting... but not within PHP). And I've *never *wanted to get a
true/false *if there is an RR of any type, *as opposed to a true/false if
the domain exists at all in the public DNS. Can you explain the use case?

-- Sandy

11 years ago by Rowan Collins — view source — reply

unread

ANY (*) requests are key to many DNS amplification attacks and may
fail,
even if the RR you want exists when individually requested. Such
requests
should be discouraged by clients, IMO. It's disappointing that PHP's
dns_get_record() defaults to ANY.

But more to the point, what is the client-side utility? You are
basically
flooding yourself if you make such requests -- what exactly are you
going
to do with the TXT records, NS records, the SOAs, the unknown types?
This
is just a ton of extraneous data, even if the overall payload is small.

Maybe if you're building a PHP app whose sole purpose is to
troubleshoot
DNS. But if so I would sooner fork dig, since most likely you are
trying
to show people the results that a non-PHP app would see, so better to
avoid
any PHP bugs/specialness and miss any DNS features (such as new RR
types
and new DNS extensions).

I don't think there's anything particularly askew in MX being the
default
for checkdnsrr() if you think of it as a cut-down generalization of
getdnsmx(). Still I can't remember the last time my PHP apps cared
only
about whether an RR existed, not its value (our mail server cares about
that of course when checking blacklists, and we care when we're
troubleshooting... but not within PHP). And I've *never *wanted to get
a
true/false *if there is an RR of any type, *as opposed to a true/false
if
the domain exists at all in the public DNS. Can you explain the use
case?

-- Sandy

Hi,

I think you might need to take a deep breath, read through the mailing list guidelines [ http://git.php.net/?p=php-src.git;a=blob_plain;f=README.MAILINGLIST_RULES;hb=HEAD], and start again.

Your post mentions three different functions, which have different purposes, and different default parameters, and demands that we provide a use case for something (I'm not clear what) because you've never needed it. I would say it is up to you to put forward a considered case for a change, not for everyone else to justify the status quo.

What is it you are actually proposing or requesting here? To remove the ability of these functions to query ANY? To remove the default parameter so that people don't use ANY accidentally? Or to change the default value to something different?

Bear in mind that any change needs to take into account compatibility with existing code, so removing or changing a default parameter requires a strong justification to offset the problems it may cause users.

I hope this message doesn't sound too negative, and look forward to clarification of your thoughts.

Regards,

Rowan Collins
[IMSoP]

11 years ago by Rowan Collins — view source — reply

unread

I hope this message doesn't sound too negative, and look forward to
clarification of your thoughts.

Apologies, I've just realised that that message wasn't in fact the beginning of the thread, so some of my comments are way off base.

Out of context, it looked like a bit of a rant about how ANY could never be a useful option. Still, the only line that really addressed the question was this:

I don't think there's anything askew in MX being the
default
for checkdnsrr() if you think of it as a cut-down generalization of checkdmsmx()

(Sorry, that's not a direct quote because I'm having copy and paste issues.)

Sorry again for the misunderstanding.

Rowan

11 years ago by Sanford Whiteman — view source — reply

unread

I was just composing an e-mail advising you to follow general netiquette
rules and read the original post. :)

I disagree utterly that I did not sufficiently address the question. I
addressed it in multiple ways:

[1] ANY queries create extraneous traffic, so you want fewer PHP functions
defaulting to them, not more;

[2] ANY queries may fail, giving a false negative, when individual RRs
would succeed;

[3] An ANY query that only reduces to a *boolean *is a particular waste of
energy and network traffic if you're trying to see whether a domain has any
records, as you can use SOA for that, with no loss of fidelity;

[4] if checkdnsrr() is generalized from dns_get_mx() that is another
explanation

I think [4] is actually my weakest point.

-- S.

On Thu, Sep 18, 2014 at 5:32 PM, Rowan Collins rowan.collins@gmail.com
wrote:

On 18 September 2014 22:19:46 GMT+01:00, Rowan Collins <
rowan.collins@gmail.com> wrote:

I hope this message doesn't sound too negative, and look forward to
clarification of your thoughts.

Apologies, I've just realised that that message wasn't in fact the
beginning of the thread, so some of my comments are way off base.

Out of context, it looked like a bit of a rant about how ANY could never
be a useful option. Still, the only line that really addressed the question
was this:

I don't think there's anything askew in MX being the
default
for checkdnsrr() if you think of it as a cut-down generalization of
checkdmsmx()

(Sorry, that's not a direct quote because I'm having copy and paste
issues.)

Sorry again for the misunderstanding.

Rowan

11 years ago by Sanford Whiteman — view source — reply

unread

... thought I just top-posted for the first time in, like, ever -- b/c I
guess janky Gmail does that by default (I had to switch my subscribed
address as php.net was deleting mail relayed through my ISP).

11 years ago by Rowan Collins — view source — reply

unread

I was just composing an e-mail advising you to follow general
netiquette
rules and read the original post. :)

Yeah, for some reason your first message shows up as a standalone post, with no hint that it was a reply, so I completely missed the context. :/

I disagree utterly that I did not sufficiently address the question.

Fair enough. I'll let others take up the conversation, before I dig myself in any deeper. Personally, I've never used any DNS functionality from PHP, so the whole thing is rather academic to me.

Apologies again for any offence.

Rowan Collins
[IMSoP]