> On 25 May 2017, at 18:00, John Kristoff <j...@depaul.edu> wrote: > > >> Section 2: I think it might be useful to include a section in section >> 2 describing the fact that the lack of, or very limited >> implementation of TCP also fed the perception that it was a security >> risk. > > The references > > Cheswick, W. and S. Bellovin book
I sadly don’t have a copy of that book to hand so I can’t comment on the content there…. > <https://cr.yp.to/djbdns/tcp.html#why> > in section 2.4 I think may largely sums up the general concern. > Maybe the section 2.4 is not correctly titled or incompletely detailed > to highlight your point. Any specific text or additional references are > welcome of course. How about: “There are many in the DNS community who configure DNS over TCP services and expect DNS over TCP transactions to occur without interference. However there has also been a long held belief by some operators, particularly for security-related reasons, that DNS over TCP services should be purposely limited or not provided at all [CHES94], [DJBDNS]. A popular meme has also held the imagination of some that DNS over TCP is only ever used for zone transfers and is generally unnecessary otherwise, with filtering all DNS over TCP traffic even described as a best practice. The position on restricting DNS over TCP had some justification given that historic implementations of DNS nameservers provided very little in the way of TCP connection management (for example see Section 6.1.2 of [RFC7766] for more details). However modern standards and implementations are moving to align with the more sophisticated TCP management techniques employed by, for example, HTTP(S) servers and load balancers. > >> And since it is stated as TCP related development should RFC2136 be >> there (even though it is discussed earlier)? > > Probably should be there. Need I worry about section 6's length at > all? It could take up a significant portion of the document given the > way this section is going. Note, this section was added based on some > earlier feedback that having this sort of list might be helpful. If it gets too long then perhaps I could be moved to an Appendix? I think it is very useful for reference but as you say it should not necessarily dominate the document. Sara. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
