maybe a dumb idea on how to fix the dns problems i don't know....

Paul Vixie vixie at isc.org
Sat Aug 9 17:28:21 CDT 2008


matt at credibleinstitution.org (Matt F) writes:

> Why not just require TCP for a lookup if a response with an incorrect 
> TXID is received?  You could require TCP for just the one lookup or for 
> some configured interval, say 1 hour.  That should slow attackers down 
> substantially.

because TCP is considered optional by many authority DNS server operators.
it's only required if you expect AXFR or if you ever emit a TC bit.  if you
don't want to do TCP then you can rule out the TC bit and AXFR and just not
do TCP, and you'll be dead-to-rights within the various DNS protocol RFCs.
anyone who insists on reaching such a server by TCP will be shit-outta-luck.

however, this suggestion and dozens of others are being workshopped all day
every day by actual DNS experts.  you may not know about those discussions
because they are not occurring on [email protected], where they would be off-topic,
like this thread here.  please join namedroppers at ops.ietf.org and perhaps
dns-operations at lists.oarci.net if you want to discuss DNS protocol matters.

please, please, please don't open this can of, um, worms on [email protected] again.
not even on a sunday afternoon when just about anything goes.
-- 
Paul Vixie

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.





More information about the NANOG mailing list