[AusNOG] "stateless TCP" for DNS

Dobbins, Roland rdobbins at arbor.net
Mon Nov 15 22:26:08 EST 2010


On Nov 15, 2010, at 12:00 PM, Mark Andrews wrote:

> Also if firewalls block responses bigger than 512 bytes was a issue it would have turned up years ago as the non DNSSEC EDNS referral to the
> COM and NET servers has been bigger the 512 bytes for a long time now.


This is actually still a problem today for firewalls which have never been upgraded from ancient code, along with firewall rules and ACLs which block TCP/53 due to 'security' misinformation propagated far and wide by certain vendors of firewall products many years ago, sigh.

These kinds of issues are why a rigorous reachability study is needed in order to determine a) how much of the Internet appears to be broken for EDNS0 (DNSSEC really brings this to the forefront) and b) how much appears to be broken for TCP/53.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

 	       Sell your computer and buy a guitar.







More information about the AusNOG mailing list