On Fri, Apr 25, 2014 at 10:46 AM, Ralf Weber <d...@fl1ger.de> wrote: > Moin! > > On 25 Apr 2014, at 16:22, Tirumaleswar Reddy (tireddy) <tire...@cisco.com> > wrote: >> Any specific reason for the firewalls to permit TCP/53 other than for zone >> transfer ? > Wat? Because it is defined in the RFC. RFC1035 may not been totally clear on > that. IMHO > the language is strong enough, but if not there is RFC5966: > "All general-purpose DNS implementations MUST support both UDP and > TCP transport." > Any more questions?! Also all this new DNS stuff like DNSSEC and mitigating > DNS > amplification attack with RRL or similar techniques require that the TCP > transport works. > > So long
Yes and RFC 8888 quite definitely says that I get a pony. The existing DNS works as far as the people running their firewalls are concerned. The failure of TCP fallback in practice has been an understood problem for 20+ years. If people want to design a protocol that is going to be usable, they are going to end up having to accept some constraints that are not in the specs. -- Website: http://hallambaker.com/ _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
