North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: maybe a dumb idea on how to fix the dns problems i don't know....
[email protected] (Matt F) writes: > Why not just require TCP for a lookup if a response with an incorrect > TXID is received? You could require TCP for just the one lookup or for > some configured interval, say 1 hour. That should slow attackers down > substantially. because TCP is considered optional by many authority DNS server operators. it's only required if you expect AXFR or if you ever emit a TC bit. if you don't want to do TCP then you can rule out the TC bit and AXFR and just not do TCP, and you'll be dead-to-rights within the various DNS protocol RFCs. anyone who insists on reaching such a server by TCP will be shit-outta-luck. however, this suggestion and dozens of others are being workshopped all day every day by actual DNS experts. you may not know about those discussions because they are not occurring on [email protected], where they would be off-topic, like this thread here. please join [email protected] and perhaps [email protected] if you want to discuss DNS protocol matters. please, please, please don't open this can of, um, worms on [email protected] again. not even on a sunday afternoon when just about anything goes. -- Paul Vixie -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
|