DNSOP mailing list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: dnsop@cafax.se
Cc: "D. J. Bernstein" <djb@cr.yp.to>
From: Francois romieu <romieu@nic.fr>
Date: Wed, 7 Feb 2001 13:56:19 +0000
Content-Disposition: inline
In-Reply-To: <20010206202956.8902.qmail@cr.yp.to>; from djb@cr.yp.to on Tue, Feb 06, 2001 at 08:29:56PM -0000
Reply-To: Francois romieu <tech@nic.fr>
Sender: owner-dnsop@cafax.se
User-Agent: Mutt/1.2.5i
Subject: Re: Bogus nic.fr behavior

The Tue, Feb 06, 2001 at 08:29:56PM -0000, D. J. Bernstein wrote :
> Nilsson writes:
> > TCP and UDP are mandatory, regardless of query size.
> 
> False. RFC 1123 _recommends_ TCP. Query size was explicitly identified
> as the reason for this recommendation: the authors believed that new DNS
> record types would someday require packets larger than 512 bytes.

RFC1035:
[...]
4.2. Transport

The DNS assumes that messages will be transmitted as datagrams or in a
byte stream carried by a virtual circuit.  While virtual circuits can be
used for any DNS activity, datagrams are preferred for queries due to
their lower overhead and better performance.  Zone refresh activities
must use virtual circuits because of the need for reliable transfer.

The Internet supports name server access using TCP [RFC-793] on server
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
port 53 (decimal) as well as datagram access using UDP [RFC-768] on UDP
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
port 53 (decimal).

My english is poor but if you cut TCP, you don't support TCP "as well"
as UDP. 

[...]
> Of course, TCP is required for zone transfers, but zone transfers aren't
> required for servers. A pure secondary server, or a primary server that
> uses (say) rsync for replication, doesn't need outgoing zone transfers.

Point taken.

> I recommend against TCP service on DNS servers that don't need it. TCP

Even if it's not the point of the discussion, I wouldn't advise rsync then.

[...]
> Perhaps that's true for BIND. But my DNS server goes to great effort to
> help new DNS administrators create correct configurations, and it does
> _not_ provide lame root information by default. As I said, there's a
> cost to keeping that information up to date.

cat > /etc/cron.monthly/root-servers <<EOF
#!/bin/sh

dig @a.root-servers.net . ns > /var/named/root.db
ci -m"Mise à jour du `date  +%Y-%m-%d`" -l /var/named/root.db
EOF

+ crontab entry.

I'd be surprised to find any security-conscious admin who can't handle that.

-- 
Ueimor
AFNIC / NIC-France

References:
- Bogus nic.fr behavior
  - From: "D. J. Bernstein" <djb@cr.yp.to>
- Re: Bogus nic.fr behavior
  - From: Måns Nilsson <mansaxel@nic-se.se>
- Re: Bogus nic.fr behavior
  - From: "D. J. Bernstein" <djb@cr.yp.to>

Prev by Date: Re: Bogus nic.fr behavior
Next by Date: Re: Bogus nic.fr behavior
Prev by thread: Re: Bogus nic.fr behavior
Next by thread: Re: Bogus nic.fr behavior
Index(es):
- Date
- Thread

Home | Date list | Subject list