To:
dnsop@cafax.se
Cc:
"D. J. Bernstein" <djb@cr.yp.to>
From:
Francois romieu <romieu@nic.fr>
Date:
Wed, 7 Feb 2001 13:56:19 +0000
Content-Disposition:
inline
In-Reply-To:
<20010206202956.8902.qmail@cr.yp.to>; from djb@cr.yp.to on Tue, Feb 06, 2001 at 08:29:56PM -0000
Reply-To:
Francois romieu <tech@nic.fr>
Sender:
owner-dnsop@cafax.se
User-Agent:
Mutt/1.2.5i
Subject:
Re: Bogus nic.fr behavior
The Tue, Feb 06, 2001 at 08:29:56PM -0000, D. J. Bernstein wrote : > Nilsson writes: > > TCP and UDP are mandatory, regardless of query size. > > False. RFC 1123 _recommends_ TCP. Query size was explicitly identified > as the reason for this recommendation: the authors believed that new DNS > record types would someday require packets larger than 512 bytes. RFC1035: [...] 4.2. Transport The DNS assumes that messages will be transmitted as datagrams or in a byte stream carried by a virtual circuit. While virtual circuits can be used for any DNS activity, datagrams are preferred for queries due to their lower overhead and better performance. Zone refresh activities must use virtual circuits because of the need for reliable transfer. The Internet supports name server access using TCP [RFC-793] on server ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ port 53 (decimal) as well as datagram access using UDP [RFC-768] on UDP ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ port 53 (decimal). My english is poor but if you cut TCP, you don't support TCP "as well" as UDP. [...] > Of course, TCP is required for zone transfers, but zone transfers aren't > required for servers. A pure secondary server, or a primary server that > uses (say) rsync for replication, doesn't need outgoing zone transfers. Point taken. > I recommend against TCP service on DNS servers that don't need it. TCP Even if it's not the point of the discussion, I wouldn't advise rsync then. [...] > Perhaps that's true for BIND. But my DNS server goes to great effort to > help new DNS administrators create correct configurations, and it does > _not_ provide lame root information by default. As I said, there's a > cost to keeping that information up to date. cat > /etc/cron.monthly/root-servers <<EOF #!/bin/sh dig @a.root-servers.net . ns > /var/named/root.db ci -m"Mise ā jour du `date +%Y-%m-%d`" -l /var/named/root.db EOF + crontab entry. I'd be surprised to find any security-conscious admin who can't handle that. -- Ueimor AFNIC / NIC-France