>>> On 11/3/2010 at 1:10 PM, Lamar Owen <lo...@pari.edu> wrote: > On Tuesday, November 02, 2010 02:21:14 pm Sven Olaf Kamphuis wrote: >> getting rid of bind has various other advantages, such as no longer >> needing tcp to transfer "zone files" (Retarded concept to say the least) >> so there are no more "tcp issues" related to anycasting your authorative >> dns servers, as you can simply have them talk to your central database >> over their bgp session ip, which isn't anycasted, no more port 53/tcp >> therefore! yay, good riddance! > > Performing zone transfers is not the only reason for 53/tcp; it can also be > needed for long (>512 byte) query responses. Thanks to the one-two punch of > DNSSEC and IPv6, the probability of a DNS reponse needing TCP on port 53 is > much greater now.
That's mitigated by the fact EDNS0 is required for DNSSEC allowing for larger queries to go over UDP. Still, blocking 53/tcp is perhaps second only to dropping all incoming ICMP in the quest to be the most widely deployed and severely broken thing done in the name of Internet security. -- Crist Clark Network Security Specialist, Information Systems Globalstar 408 933 4387
