copying the question section

James Ralston qralston+ml.bind-workers at
Tue Aug 6 21:52:49 UTC 2002

On Sun, 4 Aug 2002, Paul Vixie wrote:

> One note... let's not implement [RFC1035 7.3] in its entirety:
> |   - Some name servers send their responses from different
> |     addresses than the one used to receive the query.  That is, a
> |     resolver cannot rely that a response will come from the same
> |     address which it sent the corresponding query to.  This name
> |     server bug is typically encountered in UNIX systems.
> libresolv, libbind, and bind8 have required that the response source
> be the same as the query destination since about the BIND KJB/4.9
> era, and there's no reason to relax now.  (SunOS 4.1.3 was the
> culprit, and is long dead.)

Even if libresolv et. al. did permit the query response to come from a
different IP, most stateful firewalls I've seen certainly won't.

The Linux netfilter code, for example, considers a UDP packet to be
part of an "established" connection only if the source IP/port has
been swapped with the destination IP/port, and the "reply" is seen
with 30 seconds of the original packet.

I suspect that for many, many sites, DNS will break if RFC1035 7.3 is
implemented in its entirety.

James Ralston, Information Technology
Software Engineering Institute
Carnegie Mellon University, Pittsburgh, PA, USA

More information about the bind-workers mailing list