[98438] in North American Network Operators' Group
Re: large organization nameservers sending icmp packets to dns servers.
daemon@ATHENA.MIT.EDU (Paul Vixie)
Wed Aug 8 16:00:33 2007
To: nanog@merit.edu
From: Paul Vixie <vixie@vix.com>
Date: 08 Aug 2007 19:11:48 +0000
In-Reply-To: <7ADA95D8-DED3-42E0-81C8-058C377D4988@mail-abuse.org>
Errors-To: owner-nanog@merit.edu
i normally agree with doug....
dotis@mail-abuse.org (Douglas Otis) writes:
> Ensuring an authoritative domain name server responds via UDP is a
> critical security requirement. TCP will not create the same risk of a
> resolver being poisoned, but a TCP connection will consume a significant
> amount of a name server's resources.
...but this is flat out wrong, dead wrong, no way to candy coat it, wrong.
--
Paul Vixie
