On Mon, Aug 18, 2008 at 07:49:20PM +0000, Paul Vixie wrote:
> > > so what does microsoft exchange do when it tries to talk to a tinydns
> > > service like everydns.net who doesn't implement TCP/53 at all?
> >
> > It doesn't need to - it speaks to resolvers.
>
> what would it do if it had a TCP-forbidding firewall between it and its RDNS?
Dunno, but when PowerDNS had TCP bugs in its resolver code, all the
complaints I got were from Exchange users.
What's the rush with deprecating DNS/TCP btw? It languished in the shade for
25 years..
I worry because it turns out a single multiplexed connection between a
resolver and an authoritative server is just the ticket for doing almost
unspoofeable queries while under attack.
It serves as a semi-persistent channel (few seconds, minutes perhaps) over
which all the queries triggering the questions that are under attack can
safely be answered.
So I care about DNS over TCP as part of the entropy raising arsenal that is
(mostly) available today.
I'd hate to see it taken away!
Bert
--
http://www.PowerDNS.com Open source, database driven DNS Software
http://netherlabs.nl Open and Closed source services
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
