Re: large organization nameservers sending icmp packets to dns servers.

[Paul Vixie <vixie () vix com>]

i normally agree with doug....

dotis () mail-abuse org (Douglas Otis) writes:
> Ensuring an authoritative domain name server responds via UDP is a
> critical security requirement.  TCP will not create the same risk of a
> resolver being poisoned, but a TCP connection will consume a significant
> amount of a name server's resources.

...but this is flat out wrong, dead wrong, no way to candy coat it, wrong.
-- 
Paul Vixie