To:
dnsop@cafax.se
From:
Rob Austein <sra+dnsop@hactrn.net>
Date:
Fri, 08 Aug 2003 18:18:05 -0400
In-Reply-To:
<20030808210729.17648.qmail@cr.yp.to>
Sender:
owner-dnsop@cafax.se
User-Agent:
Wanderlust/2.10.0 (Venus) Emacs/20.7 Mule/4.0 (HANANOEN)
Subject:
Re: scope
At 8 Aug 2003 21:07:29 -0000, Daniel J. Bernstein wrote: > > The administrator who sets up that firewall, but neglects to set up DNS > service inside it, will find that his clients can't browse the web. This > is exactly the behavior I'd expect. Yes, if they screw this up for all of the well-known addresses. What if they only screw up one of them? > Why do you say ``Oops''? What's the big deal? > > Do you also worry when people set up DNS caches that are firewalled away > from the root servers? Do you realize that the DNS root server addresses > are ``well-known addresses''? In reverse order, yes, I do realize that the root server addresses are well-known, and that's part of what worries me. Studies of traffic observed at those servers suggest that a significant fraction of the total root server query load is the result of bad packet filtering that lets queries get out but blocks some or all responses. Discovery based on well-known addresses is a bit different because the packets (probably) stop at the edge of the default free zone, but the potential for bug amplification is similar. #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.