maybe a dumb idea on how to fix the dns problems i don't know....

Paul Vixie vixie at
Sat Aug 9 17:28:21 CDT 2008

matt at (Matt F) writes:

> Why not just require TCP for a lookup if a response with an incorrect 
> TXID is received?  You could require TCP for just the one lookup or for 
> some configured interval, say 1 hour.  That should slow attackers down 
> substantially.

because TCP is considered optional by many authority DNS server operators.
it's only required if you expect AXFR or if you ever emit a TC bit.  if you
don't want to do TCP then you can rule out the TC bit and AXFR and just not
do TCP, and you'll be dead-to-rights within the various DNS protocol RFCs.
anyone who insists on reaching such a server by TCP will be shit-outta-luck.

however, this suggestion and dozens of others are being workshopped all day
every day by actual DNS experts.  you may not know about those discussions
because they are not occurring on [email protected], where they would be off-topic,
like this thread here.  please join namedroppers at and perhaps
dns-operations at if you want to discuss DNS protocol matters.

please, please, please don't open this can of, um, worms on [email protected] again.
not even on a sunday afternoon when just about anything goes.
Paul Vixie

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the NANOG mailing list