large organization nameservers sending icmp packets to dns servers.

Kevin Oberman oberman at es.net
Wed Aug 8 17:02:36 UTC 2007


> Date: Tue, 7 Aug 2007 23:32:21 -0600
> From: "Jason J. W. Williams" <williamsjj at digitar.com>
> 
> > The answer is simple- because they are supposed to be allowed. By
> disallowing 
> > them you are breaking the agreed upon rules for the protocol. Before 
> > long it becomes impossible to implement new features because you can't
> be 
> > sure if someone else hasn't broken something intentionally.
> 
> I don't really have a dog in this fight about TCP 53. It does seem to me
> that it's a bit black and white to treat the RFCs as religious texts.
> It's important to follow them wherever possible, but frankly they don't
> foresee the bulk of the future security issues that usually materialize.
> So if a feature of the RFC isn't working for you security-wise, I
> believe it's your call to break with it there. As someone else said,
> don't complain when it breaks other things as well however. 

It is worth noting that we are not talking about just RFCs here, but STD
or "Internet Standards". RFCs are a variety of things, but when they
become Internet Standards, they are supposed to be mandatory. That said,
the STD makes opening TCP/53 non-mandatory as it is labeled as a
"SHOULD", not a "MUST". Those blocking tcp/53 maybe stupid to do so, but
they are only violating a strong recommendation and not a requirement.

As is often pointed out, blocking port 53 will eventually almost
certainly break something and I have yet to see a good argument for
blocking TCP/53.

> 
> > If you don't like the rules- then change the damned protocol. Stop
> just 
> > doing whatever you want and then complaining when other people
> disagree 
> > with you.
> 
> I think its possible to disagree without calling other folks stupid...

While the folks blocking or suggesting blocking TCP/53 may not be
stupid, the act blocking it is. (Intelligent people do stupid things.)
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at es.net			Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 224 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20070808/a272aee7/attachment.sig>


More information about the NANOG mailing list