In message <5D9044356DCF9341A7D1CDAE12FC601C2976D2A5@exch10-mb2.ccbill-hq.local >, John Anderson writes: > >If you would be so kind as to run the nmap test again from your location and > let >me know if you're seeing the correct - or at least *more* correct answe > rs, I'd >appreciate it. > > Bill, > > It looks good now. > > Starting Nmap 5.51 ( http://nmap.org ) at 2014-10-01 12:47 MST > Nmap scan report for www3.greenbuilder.com (205.238.182.102) > Host is up (0.087s latency). > PORT STATE SERVICE > 53/tcp open domain > 53/udp open domain > > >I know Bill's issue is solved, but I want to point out that anyone running D > NS >would be wise to not block TCP/53. TCP service for queries is specified i > n the >protocol design, and not just for transfers. Failing UDP queries shoul > d result in >retries over TCP > >With response sizes growing (dnssec, ipv6), answers are more likely to be to > o >large for UDP. > > Eli, > > Good advice leaving TCP/53 open as well. I haven't done much in the way of I > Pv6, but one thing is certain. It's coming, and DNS responses aren't going t > o get any smaller. It's best to be future ready.
TCP has always been required for DNS except in very special circumstances. Go read RFC 1123. Go look at the definition of SHOULD. Unless you really knew what you were doing TCP as always been expected to be ON. There was a myth the TCP was only required for zone transfers. It was NEVER fact. There were so many case of people getting it wrong that we now have a RFC that states that TCP is a MUST for DNS. It has NEVER been safe for a recursive server to not support TCP if you were connected to the Internet. The only place were that would be safe is if you controlled all the authoritative servers and all possible queries would not result in TC=1 being set. There is also a myth that TC=1 does not need to be set for anything that you put in the additional section. This is also has never been true. Failure to insert glue records requires TC=1 to be set. With EDNS, TSIG and SIG(0) there are even more cases where TC=1 should be set if records can't fit in the additional section. We are still having to hack authoritative servers so as to not break DNS lookups for idiots that turn off TCP on recursive servers. TC=1 should be set more often that it currently is. Every referral from the root server to the COM and NET server for plain DNS should have TC=1 set these days as the all the glue no longer fits. Mark > Thanks! > > John A. > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
