large organization nameservers sending icmp packets to dns servers.

Joe Abley jabley at ca.afilias.info
Tue Aug 7 19:19:30 UTC 2007


On 7-Aug-2007, at 14:38, Patrick W. Gilmore wrote:

> On Aug 7, 2007, at 2:14 PM, Donald Stahl wrote:
>
>>> All things being equal (which they're usually not) you could use  
>>> the ACK
>>> response time of the TCP handshake if they've got TCP DNS resolution
>>> available. Though again most don't for security reasons...
>>
>> Then most are incredibly stupid.
>
> Those are impressively harsh words.

But they are hard to argue with.

>> In addition, any UDP truncated response needs to be retried via  
>> TCP- blocking it would cause a variety of problems.
>
> Since we are talking about authorities here, one can control the  
> size of ones responses.

"Never reply with anything big and hence never set TC" seems like a  
reasonable, expedient way to circumvent the problem of wholesale 53/ 
tcp-blocking stupidity. It doesn't make the behaviour any less  
stupid, though.

The "security" argument looks even more bizarre when you consider  
what the DO bit in a request will do in general to the size of a  
response, in the case of an authority server which has signed zone data.


Joe



More information about the NANOG mailing list