nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: maybe a dumb idea on how to fix the dns problems i don't know....

From: Paul Vixie <vixie () isc org>
Date: Sat, 09 Aug 2008 22:28:21 +0000
matt () credibleinstitution org (Matt F) writes:


Why not just require TCP for a lookup if a response with an incorrect 
TXID is received?  You could require TCP for just the one lookup or for 
some configured interval, say 1 hour.  That should slow attackers down 
substantially.


because TCP is considered optional by many authority DNS server operators.
it's only required if you expect AXFR or if you ever emit a TC bit.  if you
don't want to do TCP then you can rule out the TC bit and AXFR and just not
do TCP, and you'll be dead-to-rights within the various DNS protocol RFCs.
anyone who insists on reaching such a server by TCP will be shit-outta-luck.

however, this suggestion and dozens of others are being workshopped all day
every day by actual DNS experts.  you may not know about those discussions
because they are not occurring on nanog@, where they would be off-topic,
like this thread here.  please join namedroppers () ops ietf org and perhaps
dns-operations () lists oarci net if you want to discuss DNS protocol matters.

please, please, please don't open this can of, um, worms on nanog@ again.
not even on a sunday afternoon when just about anything goes.
-- 
Paul Vixie

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Previous By Date Next
Previous By Thread Next

Current thread: