large organization nameservers sending icmp packets to dns servers.
Kevin Oberman
oberman at es.net
Wed Aug 8 17:02:36 UTC 2007
> Date: Tue, 7 Aug 2007 23:32:21 -0600
> From: "Jason J. W. Williams" <williamsjj at digitar.com>
>
> > The answer is simple- because they are supposed to be allowed. By
> disallowing
> > them you are breaking the agreed upon rules for the protocol. Before
> > long it becomes impossible to implement new features because you can't
> be
> > sure if someone else hasn't broken something intentionally.
>
> I don't really have a dog in this fight about TCP 53. It does seem to me
> that it's a bit black and white to treat the RFCs as religious texts.
> It's important to follow them wherever possible, but frankly they don't
> foresee the bulk of the future security issues that usually materialize.
> So if a feature of the RFC isn't working for you security-wise, I
> believe it's your call to break with it there. As someone else said,
> don't complain when it breaks other things as well however.
It is worth noting that we are not talking about just RFCs here, but STD
or "Internet Standards". RFCs are a variety of things, but when they
become Internet Standards, they are supposed to be mandatory. That said,
the STD makes opening TCP/53 non-mandatory as it is labeled as a
"SHOULD", not a "MUST". Those blocking tcp/53 maybe stupid to do so, but
they are only violating a strong recommendation and not a requirement.
As is often pointed out, blocking port 53 will eventually almost
certainly break something and I have yet to see a good argument for
blocking TCP/53.
>
> > If you don't like the rules- then change the damned protocol. Stop
> just
> > doing whatever you want and then complaining when other people
> disagree
> > with you.
>
> I think its possible to disagree without calling other folks stupid...
While the folks blocking or suggesting blocking TCP/53 may not be
stupid, the act blocking it is. (Intelligent people do stupid things.)
--
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at es.net Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 224 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20070808/a272aee7/attachment.sig>
More information about the NANOG
mailing list