North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: large organization nameservers sending icmp packets to dns servers.

  • From: Kevin Oberman
  • Date: Wed Aug 08 13:15:57 2007

> Date: Tue, 7 Aug 2007 23:32:21 -0600
> From: "Jason J. W. Williams" <[email protected]>
> 
> > The answer is simple- because they are supposed to be allowed. By
> disallowing 
> > them you are breaking the agreed upon rules for the protocol. Before 
> > long it becomes impossible to implement new features because you can't
> be 
> > sure if someone else hasn't broken something intentionally.
> 
> I don't really have a dog in this fight about TCP 53. It does seem to me
> that it's a bit black and white to treat the RFCs as religious texts.
> It's important to follow them wherever possible, but frankly they don't
> foresee the bulk of the future security issues that usually materialize.
> So if a feature of the RFC isn't working for you security-wise, I
> believe it's your call to break with it there. As someone else said,
> don't complain when it breaks other things as well however. 

It is worth noting that we are not talking about just RFCs here, but STD
or "Internet Standards". RFCs are a variety of things, but when they
become Internet Standards, they are supposed to be mandatory. That said,
the STD makes opening TCP/53 non-mandatory as it is labeled as a
"SHOULD", not a "MUST". Those blocking tcp/53 maybe stupid to do so, but
they are only violating a strong recommendation and not a requirement.

As is often pointed out, blocking port 53 will eventually almost
certainly break something and I have yet to see a good argument for
blocking TCP/53.

> 
> > If you don't like the rules- then change the damned protocol. Stop
> just 
> > doing whatever you want and then complaining when other people
> disagree 
> > with you.
> 
> I think its possible to disagree without calling other folks stupid...

While the folks blocking or suggesting blocking TCP/53 may not be
stupid, the act blocking it is. (Intelligent people do stupid things.)
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: [email protected]			Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751

Attachment: pgp00011.pgp
Description: PGP signature