[131787] in North American Network Operators' Group
Re: IPv6 rDNS
daemon@ATHENA.MIT.EDU (Crist Clark)
Wed Nov 3 19:02:44 2010
Date: Wed, 03 Nov 2010 16:02:13 -0700
From: "Crist Clark" <Crist.Clark@globalstar.com>
To: <nanog@nanog.org>,"Lamar Owen" <lowen@pari.edu>
In-Reply-To: <201011031610.20107.lowen@pari.edu>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
>>> On 11/3/2010 at 1:10 PM, Lamar Owen <lowen@pari.edu> wrote:
> On Tuesday, November 02, 2010 02:21:14 pm Sven Olaf Kamphuis wrote:
>> getting rid of bind has various other advantages, such as no longer=20
>> needing tcp to transfer "zone files" (Retarded concept to say the =
least)=20
>> so there are no more "tcp issues" related to anycasting your authorative=
=20
>> dns servers, as you can simply have them talk to your central =
database=20
>> over their bgp session ip, which isn't anycasted, no more port =
53/tcp=20
>> therefore! yay, good riddance!
>=20
> Performing zone transfers is not the only reason for 53/tcp; it can also =
be=20
> needed for long (>512 byte) query responses. Thanks to the one-two =
punch of=20
> DNSSEC and IPv6, the probability of a DNS reponse needing TCP on port 53 =
is=20
> much greater now.
That's mitigated by the fact EDNS0 is required for DNSSEC
allowing for larger queries to go over UDP.
Still, blocking 53/tcp is perhaps second only to dropping all
incoming ICMP in the quest to be the most widely deployed and
severely broken thing done in the name of Internet security.=20
--=20
Crist Clark
Network Security Specialist, Information Systems
Globalstar
408 933 4387
