Diagnostic help part 2

Mark Andrews marka at isc.org
Wed Oct 1 23:03:52 UTC 2014 

In message <5D9044356DCF9341A7D1CDAE12FC601C2976D2A5 at exch10-mb2.ccbill-hq.local
>, John Anderson writes:
> >If you would be so kind as to run the nmap test again from your location and
>  let >me know if you're seeing the correct - or at least *more* correct answe
> rs, I'd >appreciate it.
> 
> Bill,
> 
> It looks good now.
> 
> Starting Nmap 5.51 ( http://nmap.org ) at 2014-10-01 12:47 MST
> Nmap scan report for www3.greenbuilder.com (205.238.182.102)
> Host is up (0.087s latency).
> PORT   STATE SERVICE
> 53/tcp open  domain
> 53/udp open  domain
> 
> >I know Bill's issue is solved, but I want to point out that anyone running D
> NS >would be wise to not block TCP/53. TCP service for queries is specified i
> n the >protocol design, and not just for transfers. Failing UDP queries shoul
> d result in >retries over TCP
> >With response sizes growing (dnssec, ipv6), answers are more likely to be to
> o >large for UDP.
> 
> Eli,
> 
> Good advice leaving TCP/53 open as well.  I haven't done much in the way of I
> Pv6, but one thing is certain.  It's coming, and DNS responses aren't going t
> o get any smaller.   It's best to be future ready.

TCP has always been required for DNS except in very special
circumstances.  Go read RFC 1123.  Go look at the definition of
SHOULD.  Unless you really knew what you were doing TCP as always
been expected to be ON.

There was a myth the TCP was only required for zone transfers.  It
was NEVER fact.  There were so many case of people getting it wrong
that we now have a RFC that states that TCP is a MUST for DNS.

It has NEVER been safe for a recursive server to not support TCP
if you were connected to the Internet.  The only place were that
would be safe is if you controlled all the authoritative servers
and all possible queries would not result in TC=1 being set.

There is also a myth that TC=1 does not need to be set for anything
that you put in the additional section.  This is also has never
been true.  Failure to insert glue records requires TC=1 to be set.
With EDNS, TSIG and SIG(0) there are even more cases where TC=1
should be set if records can't fit in the additional section.

We are still having to hack authoritative servers so as to not break
DNS lookups for idiots that turn off TCP on recursive servers.  TC=1
should be set more often that it currently is.  Every referral from
the root server to the COM and NET server for plain DNS should have
TC=1 set these days as the all the glue no longer fits.

Mark

> Thanks!
> 
> John A.
> 
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list