large organization nameservers sending icmp packets to dns servers.
oberman at es.net
Wed Aug 8 17:02:36 UTC 2007
> Date: Tue, 7 Aug 2007 23:32:21 -0600
> From: "Jason J. W. Williams" <williamsjj at digitar.com>
> > The answer is simple- because they are supposed to be allowed. By
> > them you are breaking the agreed upon rules for the protocol. Before
> > long it becomes impossible to implement new features because you can't
> > sure if someone else hasn't broken something intentionally.
> I don't really have a dog in this fight about TCP 53. It does seem to me
> that it's a bit black and white to treat the RFCs as religious texts.
> It's important to follow them wherever possible, but frankly they don't
> foresee the bulk of the future security issues that usually materialize.
> So if a feature of the RFC isn't working for you security-wise, I
> believe it's your call to break with it there. As someone else said,
> don't complain when it breaks other things as well however.
It is worth noting that we are not talking about just RFCs here, but STD
or "Internet Standards". RFCs are a variety of things, but when they
become Internet Standards, they are supposed to be mandatory. That said,
the STD makes opening TCP/53 non-mandatory as it is labeled as a
"SHOULD", not a "MUST". Those blocking tcp/53 maybe stupid to do so, but
they are only violating a strong recommendation and not a requirement.
As is often pointed out, blocking port 53 will eventually almost
certainly break something and I have yet to see a good argument for
> > If you don't like the rules- then change the damned protocol. Stop
> > doing whatever you want and then complaining when other people
> > with you.
> I think its possible to disagree without calling other folks stupid...
While the folks blocking or suggesting blocking TCP/53 may not be
stupid, the act blocking it is. (Intelligent people do stupid things.)
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at es.net Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 224 bytes
Desc: not available
More information about the NANOG