maybe a dumb idea on how to fix the dns problems i don't know....
vixie at isc.org
Sat Aug 9 17:28:21 CDT 2008
matt at credibleinstitution.org (Matt F) writes:
> Why not just require TCP for a lookup if a response with an incorrect
> TXID is received? You could require TCP for just the one lookup or for
> some configured interval, say 1 hour. That should slow attackers down
because TCP is considered optional by many authority DNS server operators.
it's only required if you expect AXFR or if you ever emit a TC bit. if you
don't want to do TCP then you can rule out the TC bit and AXFR and just not
do TCP, and you'll be dead-to-rights within the various DNS protocol RFCs.
anyone who insists on reaching such a server by TCP will be shit-outta-luck.
however, this suggestion and dozens of others are being workshopped all day
every day by actual DNS experts. you may not know about those discussions
because they are not occurring on [email protected], where they would be off-topic,
like this thread here. please join namedroppers at ops.ietf.org and perhaps
dns-operations at lists.oarci.net if you want to discuss DNS protocol matters.
please, please, please don't open this can of, um, worms on [email protected] again.
not even on a sunday afternoon when just about anything goes.
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the NANOG