[AusNOG] "stateless TCP" for DNS

Joshua Small JSmall at daraco.com.au
Tue Nov 16 08:56:41 EST 2010


Hi,

My anecdotal suggestion would be that a) is a far bigger problem than b).

Loldns utilises TCP for all packets > 512 bytes instead of eDNS. Its install base may not be huge, but it does have a few small number of large installations, and I have yet to hear about a reachability issue.

I have however, been called in to repair more than my fair share of "broken windows servers", only to find Windows 2003's eDNS can't get past an ASA or PIX with a fixup dns command and no size specified (I had one of these just yesterday).

Joshua Small

Daraco Services
IT Consulting and Support
Unit 17, 7 Anella Avenue Castle Hill 2154
Phone: 1300 327 226 Fax: +612 8588 1200
Email: jsmall at daraco.com.au www.daraco.com.au


This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use, or distribution of the information included in this message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message. If you do not wish to receive messages from this email account, then please reply with unsubscribe me in the subject line to: unsubscribe at daraco.com.au


-----Original Message-----
From: ausnog-bounces at lists.ausnog.net [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Dobbins, Roland
Sent: Monday, 15 November 2010 10:26 PM
To: ausnog at lists.ausnog.net
Subject: Re: [AusNOG] "stateless TCP" for DNS


On Nov 15, 2010, at 12:00 PM, Mark Andrews wrote:

> Also if firewalls block responses bigger than 512 bytes was a issue it would have turned up years ago as the non DNSSEC EDNS referral to the
> COM and NET servers has been bigger the 512 bytes for a long time now.


This is actually still a problem today for firewalls which have never been upgraded from ancient code, along with firewall rules and ACLs which block TCP/53 due to 'security' misinformation propagated far and wide by certain vendors of firewall products many years ago, sigh.

These kinds of issues are why a rigorous reachability study is needed in order to determine a) how much of the Internet appears to be broken for EDNS0 (DNSSEC really brings this to the forefront) and b) how much appears to be broken for TCP/53.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

 	       Sell your computer and buy a guitar.




_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog



More information about the AusNOG mailing list