tcp/udp, clarification please

[Brad Knowles]

At 10:04 AM -0400 2001/10/11, Eoin Miller wrote:
>  how would having no TCP access to my DNS servers prevent adoption of better
>  security tools?

	Because advanced DNS security measures like TSIG and DNSSEC 
make the packets so large that they are almost certainly guaranteed 
to be too big to fit into a single UDP packet?

>                   my zone transfers would still be going over TCP because i
>  have a firewall/DMZ setup, and behind the firewall TCP is allowed to
>  transfer between the boxes, but to the outside world only UDP is accessable,

	This is fundamentally the wrong way to do it.  Allow both TCP 
and UDP through to your nameserver, and then use the mechanisms built 
into the nameserver software (e.g., BIND) to restrict who is/is not 
allowed to perform a zone transfer.


	If you choose to configure your nameserver in any other 
fashion, you're welcome to support the thing entirely and completely 
on your own, but please don't ask anyone else in the world for any 
help.


	And once again, I must ask you to stop lying about your 
return e-mail address, and causing e-mail replies to be sent back to 
the US Federal Trade Commission.  If anything, by this action, you 
are as bad as (or worse) a criminal than all the spammers out there.

	If you continue to participate in this illegal activity, then 
I will be forced to contact the appropriate people at RCN and begin 
proceedings to have your account terminated.

-- 
Brad Knowles, <brad.knowles at skynet.be>

H4sICIFgXzsCA2RtYS1zaWcAPVHLbsMwDDvXX0H0kkvbfxiwVw8FCmzAzqqj1F4dy7CdBfn7
Kc6wmyGRFEnvvxiWQoCvqI7RSWTcfGXQNqCUAnfIU+AT8OZ/GCNjRVlH0bKpguJkxiITZqes
MxwpSucyDJzXxQEUe/ihgXqJXUXwD9ajB6NHonLmNrUSK9nacHQnH097szO74xFXqtlbT3il
wMsBz5cnfCR5cEmci0Rj9u/jqBbPeES1I4PeFBXPUIT1XDSOuutFXylzrQvGyboWstCoQZyP
dxX4dLx0eauFe1x9puhoi0Ao1omEJo+BZ6XLVNaVpWiKekxN0VK2VMpmAy+Bk7ZV4SO+p1L/
uErNRS/qH2iFU+iNOtbcmVt9N16lfF7tLv9FXNj8AiyNcOi1AQAA