large organization nameservers sending icmp packets to dns servers.

Paul Vixie vixie at
Wed Aug 8 19:11:48 UTC 2007

i normally agree with doug....

dotis at (Douglas Otis) writes:
> Ensuring an authoritative domain name server responds via UDP is a
> critical security requirement.  TCP will not create the same risk of a
> resolver being poisoned, but a TCP connection will consume a significant
> amount of a name server's resources.

...but this is flat out wrong, dead wrong, no way to candy coat it, wrong.
Paul Vixie

More information about the NANOG mailing list