Re: large organization nameservers sending icmp packets to dns servers.

[Joe Abley <jabley () ca afilias info>]

On 7-Aug-2007, at 14:38, Patrick W. Gilmore wrote:

> On Aug 7, 2007, at 2:14 PM, Donald Stahl wrote:
>
> > > All things being equal (which they're usually not) you could use  
> > > the ACK
> > > response time of the TCP handshake if they've got TCP DNS resolution
> > > available. Though again most don't for security reasons...
> >
> > Then most are incredibly stupid.
>
> Those are impressively harsh words.

But they are hard to argue with.

> > In addition, any UDP truncated response needs to be retried via  
> > TCP- blocking it would cause a variety of problems.
>
> Since we are talking about authorities here, one can control the  
> size of ones responses.

"Never reply with anything big and hence never set TC" seems like a  
reasonable, expedient way to circumvent the problem of wholesale 53/ 
tcp-blocking stupidity. It doesn't make the behaviour any less  
stupid, though.

The "security" argument looks even more bizarre when you consider  
what the DO bit in a request will do in general to the size of a  
response, in the case of an authority server which has signed zone data.


Joe