Date: Thu, 11 Apr 2002 00:36:10 +0200 From: Brad Knowles <brad.knowles@skynet.be> To: Mate Wierdl <mw@thales.memphis.edu>, freebsd-chat@freebsd.org Subject: Re: qmail (Was: Maintaining Access Control Lists ) Message-ID: <p0510154ab8da69c57de5@[10.0.1.10]> In-Reply-To: <20020410163728.A25502@thales.memphis.edu> References: <20020403144539.A11798@thales.memphis.edu> <3CAB7860.EB8DF505@mindspring.com> <20020410163728.A25502@thales.memphis.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
At 4:37 PM -0500 2002/04/10, Mate Wierdl wrote:
> It certainly can happen that the advice given in an rfc turns out to
> be ill in the wild after a time. DNS over TCP, for example, turns out
> to be prone to DOS attacks, and is much slower.
>
> In rfc1123, I read
>
> Responsible practices can make UDP suffice in the vast
> majority of cases.
RFC 1123 is old. With the advent of IPv6 and other enhancements,
more and more DNS queries must be performed over TCP because there is
no other choice.
> Now djbdns certainly implement DNS over TCP---it just leaves it up to
> the admin to, in fact, enable it as the need arises. The argument
> boils down to what is enabled by default.
At issue here is not whether there are alternatives that may work
most of the time, at issue here is whether djbdns is compliant with
the standard by default -- which is patently is not.
> I do not follow: so just keep axfr, and get rid off the additional
> possibilities?
The additional possibilities are also available with other
programs. They are not unique to djbdns. Claiming that alternatives
are available does not absolve you of the responsibility to implement
the standard -- by default.
> I am not clear on this (probably I did not ask the question clearly):
> does rfc 1996 mandate the implementation of NOTIFY for servers?
NOTIFY is an important part of the evolution of the DNS protocol.
If you do not implement it by default, you put the future of the DNS
at risk.
>> Here's my argument:
>>
>> "All DNS data transfers should take place over the
>> DNS protocol."
>
> Well, this requirement results in complexity, and lots of reinventing
> the wheel.
Just because things get tough doesn't mean that you are free to
throw away all the rules.
> Indeed, even without DNSSEC, apparently 24% of .com servers have
> misconfigured delegations.
We can fix those problems without DNSSEC -- indeed, as you point
out this is merely a configuration issue. DNSSEC is for solving
larger problems than this.
> It is not irrelevant because it does hint at the problems with IQUERY,
> and at the fact that clients do not send IQUERY anymore. Hence it is
> unlikely that users will suffer from this lack of compliance.
Just because you believe that there are no more clients that use
IQUERY doesn't give you free rein to decide to ignore the DNS
protocol when you receive an IQUERY. This is in direct violation of
the Postel Principle, as well as POLA.
--
Brad Knowles, <brad.knowles@skynet.be>
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-Benjamin Franklin, Historical Review of Pennsylvania.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-chat" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?p0510154ab8da69c57de5>