On Mon, Aug 18, 2008 at 07:49:20PM +0000, Paul Vixie wrote: > > > so what does microsoft exchange do when it tries to talk to a tinydns > > > service like everydns.net who doesn't implement TCP/53 at all? > > > > It doesn't need to - it speaks to resolvers. > > what would it do if it had a TCP-forbidding firewall between it and its RDNS?
Dunno, but when PowerDNS had TCP bugs in its resolver code, all the complaints I got were from Exchange users. What's the rush with deprecating DNS/TCP btw? It languished in the shade for 25 years.. I worry because it turns out a single multiplexed connection between a resolver and an authoritative server is just the ticket for doing almost unspoofeable queries while under attack. It serves as a semi-persistent channel (few seconds, minutes perhaps) over which all the queries triggering the questions that are under attack can safely be answered. So I care about DNS over TCP as part of the entropy raising arsenal that is (mostly) available today. I'd hate to see it taken away! Bert -- http://www.PowerDNS.com Open source, database driven DNS Software http://netherlabs.nl Open and Closed source services _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop