nanog mailing list archives
Re: IPv6 rDNS
From: "Crist Clark" <Crist.Clark () globalstar com>
Date: Wed, 03 Nov 2010 16:02:13 -0700
On 11/3/2010 at 1:10 PM, Lamar Owen <lowen () pari edu> wrote:On Tuesday, November 02, 2010 02:21:14 pm Sven Olaf Kamphuis wrote:getting rid of bind has various other advantages, such as no longer needing tcp to transfer "zone files" (Retarded concept to say the least) so there are no more "tcp issues" related to anycasting your authorative dns servers, as you can simply have them talk to your central database over their bgp session ip, which isn't anycasted, no more port 53/tcp therefore! yay, good riddance!Performing zone transfers is not the only reason for 53/tcp; it can also be needed for long (>512 byte) query responses. Thanks to the one-two punch of DNSSEC and IPv6, the probability of a DNS reponse needing TCP on port 53 is much greater now.
That's mitigated by the fact EDNS0 is required for DNSSEC allowing for larger queries to go over UDP. Still, blocking 53/tcp is perhaps second only to dropping all incoming ICMP in the quest to be the most widely deployed and severely broken thing done in the name of Internet security. -- Crist Clark Network Security Specialist, Information Systems Globalstar 408 933 4387
Current thread:
- RE: IPv6 rDNS Lee Howard (Nov 01)
- Re: IPv6 rDNS David Freedman (Nov 02)
- Re: IPv6 rDNS Sven Olaf Kamphuis (Nov 02)
- Re: IPv6 rDNS Sven Olaf Kamphuis (Nov 02)
- Re: IPv6 rDNS David Freedman (Nov 02)
- Re: IPv6 rDNS Sven Olaf Kamphuis (Nov 02)
- Re: IPv6 rDNS Leo Bicknell (Nov 02)
- Re: IPv6 rDNS Curtis Maurand (Nov 02)
- Re: IPv6 rDNS Valdis . Kletnieks (Nov 03)
- Re: IPv6 rDNS Lamar Owen (Nov 03)
- Re: IPv6 rDNS Crist Clark (Nov 03)
- Re: IPv6 rDNS David Freedman (Nov 02)
- <Possible follow-ups>
- Re: IPv6 rDNS Michel de Nostredame (Nov 01)
- Re: IPv6 rDNS Mark Andrews (Nov 01)
- Re: IPv6 rDNS Owen DeLong (Nov 01)
- Re: IPv6 rDNS Mark Andrews (Nov 01)
- Re: IPv6 rDNS Mark Andrews (Nov 01)
- Re: IPv6 rDNS Owen DeLong (Nov 01)