[80158] in North American Network Operators' Group
Re: using TCP53 for DNS
daemon@ATHENA.MIT.EDU (Christopher L. Morrow)
Tue Apr 26 17:15:34 2005
Date: Tue, 26 Apr 2005 21:13:27 +0000 (GMT)
From: "Christopher L. Morrow" <christopher.morrow@mci.com>
In-reply-to: <871x8xwe1r.fsf@deneb.enyo.de>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: "Patrick W. Gilmore" <patrick@ianai.net>, nanog@merit.edu
Errors-To: owner-nanog@merit.edu
On Tue, 26 Apr 2005, Florian Weimer wrote:
> * Christopher L. Morrow:
>
> > its a both directions thing. Some folks dropped tcp/53 TO their AUTH
> > servers to protect against AXFR's from folks not their normal secondaries.
>
> Ugh. And they didn't think something like "permit tcp any any eq 53
> established" was necessary?
>
that only helps for outbound from the server :( not: "Hey, this response
is going to be too big, come back on TCP!" :(
> >> Hopefully not. Resolvers MUST be able to make TCP connections to
> >> other name servers.
> >
> > It seems that what might be more common is resolver code not handling the
> > truncate request properly :(
>
> Caching resolvers or stub resolvers? Caching resolvers would be quite
> surprising, but you never know.
I've seen Windows DNS servers misbehave in this way as well as some
firewalls performing DNS cache/proxy for clients internal to
enterprises... (the ms boxen doing it was cache servers of course)
>
> Certainly, there are some applications which cannot cope with large RR
> sets (qmail comes to my mind).
>
oh, that has to suck for email delivery, eh? :(
