maybe a dumb idea on how to fix the dns problems i don't know....

Paul Vixie vixie at isc.org
Sat Aug 9 22:28:21 UTC 2008


matt at credibleinstitution.org (Matt F) writes:

> Why not just require TCP for a lookup if a response with an incorrect 
> TXID is received?  You could require TCP for just the one lookup or for 
> some configured interval, say 1 hour.  That should slow attackers down 
> substantially.

because TCP is considered optional by many authority DNS server operators.
it's only required if you expect AXFR or if you ever emit a TC bit.  if you
don't want to do TCP then you can rule out the TC bit and AXFR and just not
do TCP, and you'll be dead-to-rights within the various DNS protocol RFCs.
anyone who insists on reaching such a server by TCP will be shit-outta-luck.

however, this suggestion and dozens of others are being workshopped all day
every day by actual DNS experts.  you may not know about those discussions
because they are not occurring on nanog@, where they would be off-topic,
like this thread here.  please join namedroppers at ops.ietf.org and perhaps
dns-operations at lists.oarci.net if you want to discuss DNS protocol matters.

please, please, please don't open this can of, um, worms on nanog@ again.
not even on a sunday afternoon when just about anything goes.
-- 
Paul Vixie

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.





More information about the NANOG mailing list