North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: maybe a dumb idea on how to fix the dns problems i don't know....

  • From: Paul Vixie
  • Date: Sat Aug 09 18:28:31 2008

[email protected] (Matt F) writes:

> Why not just require TCP for a lookup if a response with an incorrect 
> TXID is received?  You could require TCP for just the one lookup or for 
> some configured interval, say 1 hour.  That should slow attackers down 
> substantially.

because TCP is considered optional by many authority DNS server operators.
it's only required if you expect AXFR or if you ever emit a TC bit.  if you
don't want to do TCP then you can rule out the TC bit and AXFR and just not
do TCP, and you'll be dead-to-rights within the various DNS protocol RFCs.
anyone who insists on reaching such a server by TCP will be shit-outta-luck.

however, this suggestion and dozens of others are being workshopped all day
every day by actual DNS experts.  you may not know about those discussions
because they are not occurring on [email protected], where they would be off-topic,
like this thread here.  please join [email protected] and perhaps
[email protected] if you want to discuss DNS protocol matters.

please, please, please don't open this can of, um, worms on [email protected] again.
not even on a sunday afternoon when just about anything goes.
-- 
Paul Vixie

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.