tcp/udp, clarification please

Brad Knowles brad.knowles at
Thu Oct 11 15:09:37 UTC 2001

At 10:04 AM -0400 2001/10/11, Eoin Miller wrote:
>  how would having no TCP access to my DNS servers prevent adoption of better
>  security tools?

	Because advanced DNS security measures like TSIG and DNSSEC 
make the packets so large that they are almost certainly guaranteed 
to be too big to fit into a single UDP packet?

>                   my zone transfers would still be going over TCP because i
>  have a firewall/DMZ setup, and behind the firewall TCP is allowed to
>  transfer between the boxes, but to the outside world only UDP is accessable,

	This is fundamentally the wrong way to do it.  Allow both TCP 
and UDP through to your nameserver, and then use the mechanisms built 
into the nameserver software (e.g., BIND) to restrict who is/is not 
allowed to perform a zone transfer.

	If you choose to configure your nameserver in any other 
fashion, you're welcome to support the thing entirely and completely 
on your own, but please don't ask anyone else in the world for any 

	And once again, I must ask you to stop lying about your 
return e-mail address, and causing e-mail replies to be sent back to 
the US Federal Trade Commission.  If anything, by this action, you 
are as bad as (or worse) a criminal than all the spammers out there.

	If you continue to participate in this illegal activity, then 
I will be forced to contact the appropriate people at RCN and begin 
proceedings to have your account terminated.

Brad Knowles, <brad.knowles at>


More information about the bind-users mailing list