nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: large organization nameservers sending icmp packets to dns servers.

From: "Kevin Oberman" <oberman () es net>
Date: Wed, 08 Aug 2007 10:02:36 -0700
Date: Tue, 7 Aug 2007 23:32:21 -0600
From: "Jason J. W. Williams" <williamsjj () digitar com>


The answer is simple- because they are supposed to be allowed. By

disallowing 

them you are breaking the agreed upon rules for the protocol. Before 
long it becomes impossible to implement new features because you can't

be 

sure if someone else hasn't broken something intentionally.


I don't really have a dog in this fight about TCP 53. It does seem to me
that it's a bit black and white to treat the RFCs as religious texts.
It's important to follow them wherever possible, but frankly they don't
foresee the bulk of the future security issues that usually materialize.
So if a feature of the RFC isn't working for you security-wise, I
believe it's your call to break with it there. As someone else said,
don't complain when it breaks other things as well however. 


It is worth noting that we are not talking about just RFCs here, but STD
or "Internet Standards". RFCs are a variety of things, but when they
become Internet Standards, they are supposed to be mandatory. That said,
the STD makes opening TCP/53 non-mandatory as it is labeled as a
"SHOULD", not a "MUST". Those blocking tcp/53 maybe stupid to do so, but
they are only violating a strong recommendation and not a requirement.

As is often pointed out, blocking port 53 will eventually almost
certainly break something and I have yet to see a good argument for
blocking TCP/53.




If you don't like the rules- then change the damned protocol. Stop

just 

doing whatever you want and then complaining when other people

disagree 

with you.


I think its possible to disagree without calling other folks stupid...


While the folks blocking or suggesting blocking TCP/53 may not be
stupid, the act blocking it is. (Intelligent people do stupid things.)
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman () es net                       Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751

Attachment: _bin
Description:

Previous By Date Next
Previous By Thread Next

Current thread: