In message <barmar-dda2da.01122607052...@mara100-84.onlink.net>, Barry Margolin writes: > In article <gtrqte$2in...@sf1.isc.org>, > Sam Wilson <sam.wil...@ed.ac.uk> wrote: > > > In article <gtrbsa$296...@sf1.isc.org>, Mark Elkins <m...@posix.co.za> > > wrote: > > > > > One place that TCP may make sense - if you are involved in a registry > > > system and the process involves actually checking the information that > > > you are given, including nameservers (do they exist, do they serve that > > > zone - correctly?) - it may make a lot of sense to do TCP Digs for the > > > information (though that should probably be after a failed UDP dig - as > > > a number of people do insist on disallowing Port 53 TCP). > > > > If the registry is testing for compliant servers then a failed TCP query > > should flag the server as non-working, as would a failed UDP query. > > DNS servers MUST support UDP, and only SHOULD support TCP. So a failed > TCP query should not flag the server as non-working.
I would expect TLD's to not accept DNSSEC material without a working TCP/DNS service. There are too many cases where resolvers are forced back to TCP with DNSSEC to allow it to happen. I also suspect that 99.9% of people that block DNS/TCP do so without the necessary considerations required to override the SHOULD of RFC 1123, Section 6.1.5. Anyone that thinks TCP is only used for AXFR and can therefore be blocked clearly has not done the relevent study. Mark RFC 1123. * "SHOULD" This word or the adjective "RECOMMENDED" means that there may exist valid reasons in particular circumstances to ignore this item, but the full implications should be understood and the case carefully weighed before choosing a different course. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users