In message <barmar-dda2da.01122607052...@mara100-84.onlink.net>, Barry Margolin
 writes:
> In article <gtrqte$2in...@sf1.isc.org>,
>  Sam Wilson <sam.wil...@ed.ac.uk> wrote:
> 
> > In article <gtrbsa$296...@sf1.isc.org>, Mark Elkins <m...@posix.co.za> 
> > wrote:
> > 
> > > One place that TCP may make sense - if you are involved in a registry
> > > system and the process involves actually checking the information that
> > > you are given, including nameservers (do they exist, do they serve that
> > > zone - correctly?) - it may make a lot of sense to do TCP Digs for the
> > > information (though that should probably be after a failed UDP dig - as
> > > a number of people do insist on disallowing Port 53 TCP).
> > 
> > If the registry is testing for compliant servers then a failed TCP query 
> > should flag the server as non-working, as would a failed UDP query.
> 
> DNS servers MUST support UDP, and only SHOULD support TCP.  So a failed 
> TCP query should not flag the server as non-working.

        I would expect TLD's to not accept DNSSEC material without
        a working TCP/DNS service.  There are too many cases where
        resolvers are forced back to TCP with DNSSEC to allow it
        to happen.

        I also suspect that 99.9% of people that block DNS/TCP do
        so without the necessary considerations required to override
        the SHOULD of RFC 1123, Section 6.1.5.  Anyone that thinks
        TCP is only used for AXFR and can therefore be blocked
        clearly has not done the relevent study.
        
        Mark

        RFC 1123.

         *    "SHOULD"
         
              This word or the adjective "RECOMMENDED" means that there
              may exist valid reasons in particular circumstances to
              ignore this item, but the full implications should be
              understood and the case carefully weighed before choosing
              a different course.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: mark_andr...@isc.org
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to