Diagnostic help part 2
Mike Hoskins (michoski)
michoski at cisco.com
Wed Oct 1 18:43:14 UTC 2014
-----Original Message-----
From: Doug Barton <dougb at dougbarton.us>
Date: Wednesday, October 1, 2014 at 2:07 PM
To: "bind-users at lists.isc.org" <bind-users at lists.isc.org>
Subject: Re: Diagnostic help part 2
>On 10/1/14 8:17 AM, Barry Margolin wrote:
>> In article <mailman.1035.1412133286.26362.bind-users at lists.isc.org>,
>> Eli Heady <eli.heady at gmail.com> wrote:
>>
>>> With response sizes growing (dnssec, ipv6), answers are more likely to
>>>be
>>> too large for UDP.
>>
>> That's unlikely. That's why EDNS was created, so that these large
>> answers wouldn't require TCP.
>
>... and more than a decade later EDNS still fails very often due to
>misconfigured and/or ancient firewalls that don't understand it. 53/TCP
>is part of the spec, and should not be blocked.
This isn't even specific to DNS...for example, there was a time when just
"turning on what sounds good" for cisco, netscreen and even checkpoint
would break other things like ESMTP. As an admin you needed to test your
changes and understand the protocol...many don't.
It's just far worse for DNS, since there was a time when many
well-intentioned checklists suggested locking down 53/tcp. So in this
case DNS admins were reading docs, just the wrong ones. RTRFM. :-)
More information about the bind-users
mailing list