-----Original Message----- From: Doug Barton <do...@dougbarton.us> Date: Wednesday, October 1, 2014 at 2:07 PM To: "bind-users@lists.isc.org" <bind-users@lists.isc.org> Subject: Re: Diagnostic help part 2
>On 10/1/14 8:17 AM, Barry Margolin wrote: >> In article <mailman.1035.1412133286.26362.bind-us...@lists.isc.org>, >> Eli Heady <eli.he...@gmail.com> wrote: >> >>> With response sizes growing (dnssec, ipv6), answers are more likely to >>>be >>> too large for UDP. >> >> That's unlikely. That's why EDNS was created, so that these large >> answers wouldn't require TCP. > >... and more than a decade later EDNS still fails very often due to >misconfigured and/or ancient firewalls that don't understand it. 53/TCP >is part of the spec, and should not be blocked. This isn't even specific to DNS...for example, there was a time when just "turning on what sounds good" for cisco, netscreen and even checkpoint would break other things like ESMTP. As an admin you needed to test your changes and understand the protocol...many don't. It's just far worse for DNS, since there was a time when many well-intentioned checklists suggested locking down 53/tcp. So in this case DNS admins were reading docs, just the wrong ones. RTRFM. :-) _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users