[80190] in North American Network Operators' Group
Re: using TCP53 for DNS
daemon@ATHENA.MIT.EDU (Stephane Bortzmeyer)
Wed Apr 27 03:25:30 2005
Date: Wed, 27 Apr 2005 09:21:31 +0200
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: "Patrick W. Gilmore" <patrick@ianai.net>
Cc: nanog@merit.edu
In-Reply-To: <CEE26A72-6288-46E9-9499-386F3277B442@ianai.net>
Errors-To: owner-nanog@merit.edu
On Tue, Apr 26, 2005 at 12:39:09PM -0400,
Patrick W. Gilmore <patrick@ianai.net> wrote
a message of 22 lines which said:
> From the thread (certainly not a scientific sampling), many people
> seem to be filtering port 53 TCP to their name servers.
Again, a non-scientific sampling but AFNIC (".fr" registry) *requires*
a successful technical check of the name servers *before* delegation
or technical change of a ".fr" domain. <soapbox>Every TLD should do
so.</soapbox>
Among the things we check is the TCP access to all the name servers.
A lot ("lot" is not a scientific word, I know) of people
complain. Very often, they are clueless ("TCP is only for zone
transfers"), very often also they don't master their infrastucture
(DNS hosted somewhere else, "firewall" middlebox which is an unmanaged
black box, "firewall" which is managed by an external contractor on a
per-change charge basis, etc).
