large organization nameservers sending icmp packets to dns servers.
Joe Abley
jabley at ca.afilias.info
Tue Aug 7 19:19:30 UTC 2007
On 7-Aug-2007, at 14:38, Patrick W. Gilmore wrote:
> On Aug 7, 2007, at 2:14 PM, Donald Stahl wrote:
>
>>> All things being equal (which they're usually not) you could use
>>> the ACK
>>> response time of the TCP handshake if they've got TCP DNS resolution
>>> available. Though again most don't for security reasons...
>>
>> Then most are incredibly stupid.
>
> Those are impressively harsh words.
But they are hard to argue with.
>> In addition, any UDP truncated response needs to be retried via
>> TCP- blocking it would cause a variety of problems.
>
> Since we are talking about authorities here, one can control the
> size of ones responses.
"Never reply with anything big and hence never set TC" seems like a
reasonable, expedient way to circumvent the problem of wholesale 53/
tcp-blocking stupidity. It doesn't make the behaviour any less
stupid, though.
The "security" argument looks even more bizarre when you consider
what the DO bit in a request will do in general to the size of a
response, in the case of an authority server which has signed zone data.
Joe
More information about the NANOG
mailing list