In message <barmar-dda2da.01122607052...@mara100-84.onlink.net>, Barry Margolin
writes:
> In article <gtrqte$2in...@sf1.isc.org>,
> Sam Wilson <sam.wil...@ed.ac.uk> wrote:
>
> > In article <gtrbsa$296...@sf1.isc.org>, Mark Elkins <m...@posix.co.za>
> > wrote:
> >
> > > One place that TCP may make sense - if you are involved in a registry
> > > system and the process involves actually checking the information that
> > > you are given, including nameservers (do they exist, do they serve that
> > > zone - correctly?) - it may make a lot of sense to do TCP Digs for the
> > > information (though that should probably be after a failed UDP dig - as
> > > a number of people do insist on disallowing Port 53 TCP).
> >
> > If the registry is testing for compliant servers then a failed TCP query
> > should flag the server as non-working, as would a failed UDP query.
>
> DNS servers MUST support UDP, and only SHOULD support TCP. So a failed
> TCP query should not flag the server as non-working.
I would expect TLD's to not accept DNSSEC material without
a working TCP/DNS service. There are too many cases where
resolvers are forced back to TCP with DNSSEC to allow it
to happen.
I also suspect that 99.9% of people that block DNS/TCP do
so without the necessary considerations required to override
the SHOULD of RFC 1123, Section 6.1.5. Anyone that thinks
TCP is only used for AXFR and can therefore be blocked
clearly has not done the relevent study.
Mark
RFC 1123.
* "SHOULD"
This word or the adjective "RECOMMENDED" means that there
may exist valid reasons in particular circumstances to
ignore this item, but the full implications should be
understood and the case carefully weighed before choosing
a different course.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
