On Fri, Apr 25, 2014 at 02:22:03PM +, Tirumaleswar Reddy (tireddy) wrote:
>
> Any specific reason for the firewalls to permit TCP/53 other than for zone
> transfer ?
"Because DNS uses TCP in lots of cases, and always has"? Anyone who
is still configuring firewalls to deny TCP/53 as a matter
On 25 Apr 2014, at 11:14, Phillip Hallam-Baker wrote:
> The existing DNS works as far as the people running their firewalls
> are concerned. The failure of TCP fallback in practice has been an
> understood problem for 20+ years.
Understood, perhaps; measured and understood, not so much.
What i
> -Original Message-
> From: Ralf Weber [mailto:d...@fl1ger.de]
> Sent: Thursday, April 24, 2014 7:22 PM
> To: Tirumaleswar Reddy (tireddy)
> Cc: Nicholas Weaver; Paul Wouters; dnsop; dns-priv...@ietf.org
> Subject: Re: [dns-privacy] [DNSOP] DNS over DTLS (DNSoD)
>
> Moin!
>
>
> On 24.04
On Fri, Apr 25, 2014 at 10:46 AM, Ralf Weber wrote:
> Moin!
>
> On 25 Apr 2014, at 16:22, Tirumaleswar Reddy (tireddy)
> wrote:
>> Any specific reason for the firewalls to permit TCP/53 other than for zone
>> transfer ?
> Wat? Because it is defined in the RFC. RFC1035 may not been totally clear
Moin!
On 25 Apr 2014, at 16:22, Tirumaleswar Reddy (tireddy)
wrote:
> Any specific reason for the firewalls to permit TCP/53 other than for zone
> transfer ?
Wat? Because it is defined in the RFC. RFC1035 may not been totally clear on
that. IMHO
the language is strong enough, but if not there
Tirumaleswar Reddy (tireddy) wrote:
>
> Any specific reason for the firewalls to permit TCP/53 other than for zone
> transfer ?
RFC 5966
Tony.
--
f.anthony.n.finchhttp://dotat.at/
South Utsire, Northeast Forties: Easterly 4 or 5, increasing 6 or 7. Slight or
moderate. Fair. Good.
If you want a response "QR" needs to be zero. Note the "*" which
indicates the packet is a response (QR=1).
In message <995cf19c-6e1e-4282-bea1-9991214e6...@vpnc.org>, Paul Hoffman writes:
> On Apr 23, 2014, at 11:11 PM, Stephane Bortzmeyer wrote:
>
> > On Wed, Apr 23, 2014 at 09:16:29AM -0700
On Thu, 24 Apr 2014 11:32:12 -0400, Phillip Hallam-Baker wrote:
>...
>
>For me the idea of putting TLS traffic over the same port as non TLS
>traffic without careful attention to how the upgrade is achieved would
>be 'butchering the protocol'. Changing the port number to one that is
>known to work
>Thanks, this is the kind of data I was looking for. The draft seems to assume
>that the server will give an error, not no response.
I'd think no response would be pretty much mandatory these days to
avoid being a DDoS reflector.
This is also consistent with rants I've seen about EDNS0, in wh
> -Original Message-
> From: dns-privacy [mailto:dns-privacy-boun...@ietf.org] On Behalf Of Nicholas
> Weaver
> Sent: Thursday, April 24, 2014 1:58 AM
> To: Paul Wouters
> Cc: dnsop; Nicholas Weaver; dns-priv...@ietf.org
> Subject: Re: [dns-privacy] [DNSOP] DNS over DTLS (DNSoD)
>
>
> On
> -Original Message-
> From: dns-privacy [mailto:dns-privacy-boun...@ietf.org] On Behalf Of Paul
> Hoffman
> Sent: Thursday, April 24, 2014 7:49 PM
> To: Stephane Bortzmeyer
> Cc: dns-priv...@ietf.org; dnsop; Dan Wing (dwing)
> Subject: Re: [dns-privacy] DNS over DTLS (DNSoD)
>
> On Apr 23
On Apr 24, 2014, at 8:39 AM, Tirumaleswar Reddy (tireddy)
wrote:
> No, the draft states that the DNS server will send no response. Please refer
> to section 5 of the draft
> http://tools.ietf.org/html/draft-wing-dnsop-dnsodtls-00#section-5
>
>
>
> After performing the above steps, the ho
On Thu, Apr 24, 2014 at 11:19 AM, Joe Abley wrote:
>
> On 24 Apr 2014, at 10:53, Phillip Hallam-Baker wrote:
>
>> If you want to use TLS with DNS then use port 443. One of the effects
>> of firewalls is that we now only have three ports for all protocols:
>>
>> Port 80/UDP: Non SSL traffic
>> Por
On 24 Apr 2014, at 10:53, Phillip Hallam-Baker wrote:
> If you want to use TLS with DNS then use port 443. One of the effects
> of firewalls is that we now only have three ports for all protocols:
>
> Port 80/UDP: Non SSL traffic
> Port 443/TCP: SSL traffic
> Port 53/UDP: DNS
I think it's impo
On Thu, Apr 24, 2014 at 9:52 AM, Ralf Weber wrote:
> Moin!
>
>
> On 24.04.2014, at 15:28, "Tirumaleswar Reddy (tireddy)"
> wrote:
>
>>> -Original Message-
>>> From: dns-privacy [mailto:dns-privacy-boun...@ietf.org] On Behalf Of
>>> Nicholas
>>> Weaver
>>> Sent: Thursday, April 24, 2014
On Apr 23, 2014, at 11:11 PM, Stephane Bortzmeyer wrote:
> On Wed, Apr 23, 2014 at 09:16:29AM -0700,
> Paul Hoffman wrote
> a message of 39 lines which said:
>
>> Sure. What were the results of your testing?
>
> I quickly tested with .FR authoritative name servers and both NSD and
> BIND seem
Moin!
On 24.04.2014, at 15:28, "Tirumaleswar Reddy (tireddy)"
wrote:
>> -Original Message-
>> From: dns-privacy [mailto:dns-privacy-boun...@ietf.org] On Behalf Of Nicholas
>> Weaver
>> Sent: Thursday, April 24, 2014 1:58 AM
>> To: Paul Wouters
>> Cc: dnsop; Nicholas Weaver; dns-priv...
In message , Paul Wouters
writes:
> On Wed, 23 Apr 2014, Nicholas Weaver wrote:
>
> > On Apr 23, 2014, at 1:00 PM, Paul Wouters wrote:
> >> No, I fully disagree with this. Port 53 TCP has a much better chance at
> >> working these days than a random other newly assigned port.
> >
> > Not true.
On Wed, 23 Apr 2014, Nicholas Weaver wrote:
On Apr 23, 2014, at 1:00 PM, Paul Wouters wrote:
No, I fully disagree with this. Port 53 TCP has a much better chance at
working these days than a random other newly assigned port.
Not true. Port 53 is far more molested than "random": INBOUND fir
On Wed, Apr 23, 2014 at 7:11 PM, Joe Abley wrote:
>
> On 23 Apr 2014, at 18:32, Phillip Hallam-Baker wrote:
>
>> We can't run over port 53 (trust me, I tried).
>
> You have doubts about the approach described in
> draft-hzhwm-start-tls-for-dns-00? Those would be interesting to hear; I find
> th
On 23 Apr 2014, at 18:32, Phillip Hallam-Baker wrote:
> We can't run over port 53 (trust me, I tried).
You have doubts about the approach described in
draft-hzhwm-start-tls-for-dns-00? Those would be interesting to hear; I find
that draft (and the accompanying t-dns technical report) to be qu
21 matches
Mail list logo