[AusNOG] "stateless TCP" for DNS
Mark Andrews
marka at isc.org
Tue Nov 16 08:43:59 EST 2010
In message <5574443E-8B07-4549-858E-4528EB0E9715 at arbor.net>, "Dobbins, Roland"
writes:
>
> On Nov 15, 2010, at 12:00 PM, Mark Andrews wrote:
>
> > Also if firewalls block responses bigger than 512 bytes was a issue it woul
> d have turned up years ago as the non DNSSEC EDNS referral to the
> > COM and NET servers has been bigger the 512 bytes for a long time now.
>
> This is actually still a problem today for firewalls which have never been up
> graded from ancient code, along with firewall rules and ACLs which block TCP/
> 53 due to 'security' misinformation propagated far and wide by certain vendor
> s of firewall products many years ago, sigh.
>
> These kinds of issues are why a rigorous reachability study is needed in orde
> r to determine a) how much of the Internet appears to be broken for EDNS0 (DN
> SSEC really brings this to the forefront) and b) how much appears to be broke
> n for TCP/53.
>
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
>
> Sell your computer and buy a guitar.
Firewalls that block DNS/TCP are a problem for plain DNS. EDNS doesn't
change that.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the AusNOG
mailing list