copying the question section
James Ralston
qralston+ml.bind-workers at andrew.cmu.edu
Tue Aug 6 21:52:49 UTC 2002
On Sun, 4 Aug 2002, Paul Vixie wrote:
> One note... let's not implement [RFC1035 7.3] in its entirety:
>
> | - Some name servers send their responses from different
> | addresses than the one used to receive the query. That is, a
> | resolver cannot rely that a response will come from the same
> | address which it sent the corresponding query to. This name
> | server bug is typically encountered in UNIX systems.
>
> libresolv, libbind, and bind8 have required that the response source
> be the same as the query destination since about the BIND KJB/4.9
> era, and there's no reason to relax now. (SunOS 4.1.3 was the
> culprit, and is long dead.)
Even if libresolv et. al. did permit the query response to come from a
different IP, most stateful firewalls I've seen certainly won't.
The Linux netfilter code, for example, considers a UDP packet to be
part of an "established" connection only if the source IP/port has
been swapped with the destination IP/port, and the "reply" is seen
with 30 seconds of the original packet.
I suspect that for many, many sites, DNS will break if RFC1035 7.3 is
implemented in its entirety.
--
James Ralston, Information Technology
Software Engineering Institute
Carnegie Mellon University, Pittsburgh, PA, USA
More information about the bind-workers
mailing list