[98391] in North American Network Operators' Group
Re: large organization nameservers sending icmp packets to dns servers.
daemon@ATHENA.MIT.EDU (Joe Abley)
Tue Aug 7 15:24:15 2007
In-Reply-To: <06D8529B-63B2-4E78-A70A-21E70219E4EC@ianai.net>
Cc: Nanog <nanog@nanog.org>
From: Joe Abley <jabley@ca.afilias.info>
Date: Tue, 7 Aug 2007 15:19:30 -0400
To: "Patrick W. Gilmore" <patrick@ianai.net>
Errors-To: owner-nanog@merit.edu
On 7-Aug-2007, at 14:38, Patrick W. Gilmore wrote:
> On Aug 7, 2007, at 2:14 PM, Donald Stahl wrote:
>
>>> All things being equal (which they're usually not) you could use
>>> the ACK
>>> response time of the TCP handshake if they've got TCP DNS resolution
>>> available. Though again most don't for security reasons...
>>
>> Then most are incredibly stupid.
>
> Those are impressively harsh words.
But they are hard to argue with.
>> In addition, any UDP truncated response needs to be retried via
>> TCP- blocking it would cause a variety of problems.
>
> Since we are talking about authorities here, one can control the
> size of ones responses.
"Never reply with anything big and hence never set TC" seems like a
reasonable, expedient way to circumvent the problem of wholesale 53/
tcp-blocking stupidity. It doesn't make the behaviour any less
stupid, though.
The "security" argument looks even more bizarre when you consider
what the DO bit in a request will do in general to the size of a
response, in the case of an authority server which has signed zone data.
Joe
