[98426] in North American Network Operators' Group
Re: large organization nameservers sending icmp packets to dns servers.
daemon@ATHENA.MIT.EDU (Kevin Oberman)
Wed Aug 8 13:13:16 2007
To: "Jason J. W. Williams" <williamsjj@digitar.com>
Cc: "Donald Stahl" <don@calis.blacksun.org>,
"Joe Abley" <jabley@ca.afilias.info>,
"Patrick W. Gilmore" <patrick@ianai.net>, "Nanog" <nanog@nanog.org>
In-Reply-To: Your message of "Tue, 07 Aug 2007 23:32:21 MDT."
<D7D0907E265A834D995B9B4FC0078D4E76AD93@aristotle.boi.corp.us.digitar.com>
Date: Wed, 08 Aug 2007 10:02:36 -0700
From: "Kevin Oberman" <oberman@es.net>
Errors-To: owner-nanog@merit.edu
--==_Exmh_1186592556_56321P
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
> Date: Tue, 7 Aug 2007 23:32:21 -0600
> From: "Jason J. W. Williams" <williamsjj@digitar.com>
>
> > The answer is simple- because they are supposed to be allowed. By
> disallowing
> > them you are breaking the agreed upon rules for the protocol. Before
> > long it becomes impossible to implement new features because you can't
> be
> > sure if someone else hasn't broken something intentionally.
>
> I don't really have a dog in this fight about TCP 53. It does seem to me
> that it's a bit black and white to treat the RFCs as religious texts.
> It's important to follow them wherever possible, but frankly they don't
> foresee the bulk of the future security issues that usually materialize.
> So if a feature of the RFC isn't working for you security-wise, I
> believe it's your call to break with it there. As someone else said,
> don't complain when it breaks other things as well however.
It is worth noting that we are not talking about just RFCs here, but STD
or "Internet Standards". RFCs are a variety of things, but when they
become Internet Standards, they are supposed to be mandatory. That said,
the STD makes opening TCP/53 non-mandatory as it is labeled as a
"SHOULD", not a "MUST". Those blocking tcp/53 maybe stupid to do so, but
they are only violating a strong recommendation and not a requirement.
As is often pointed out, blocking port 53 will eventually almost
certainly break something and I have yet to see a good argument for
blocking TCP/53.
>
> > If you don't like the rules- then change the damned protocol. Stop
> just
> > doing whatever you want and then complaining when other people
> disagree
> > with you.
>
> I think its possible to disagree without calling other folks stupid...
While the folks blocking or suggesting blocking TCP/53 may not be
stupid, the act blocking it is. (Intelligent people do stupid things.)
--
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman@es.net Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
--==_Exmh_1186592556_56321P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (FreeBSD)
Comment: Exmh version 2.5 06/03/2002
iD8DBQFGufcskn3rs5h7N1ERAqcDAJ4iV+Q4Wp4WmyMt55S7zKfWE/D4cQCgl74W
SnHB5c8j+NjEvlSVURbywOI=
=EBoS
-----END PGP SIGNATURE-----
--==_Exmh_1186592556_56321P--
