copying the question section

James Ralston qralston+ml.bind-workers at andrew.cmu.edu
Tue Aug 6 21:52:49 UTC 2002


On Sun, 4 Aug 2002, Paul Vixie wrote:

> One note... let's not implement [RFC1035 7.3] in its entirety:
> 
> |   - Some name servers send their responses from different
> |     addresses than the one used to receive the query.  That is, a
> |     resolver cannot rely that a response will come from the same
> |     address which it sent the corresponding query to.  This name
> |     server bug is typically encountered in UNIX systems.
> 
> libresolv, libbind, and bind8 have required that the response source
> be the same as the query destination since about the BIND KJB/4.9
> era, and there's no reason to relax now.  (SunOS 4.1.3 was the
> culprit, and is long dead.)

Even if libresolv et. al. did permit the query response to come from a
different IP, most stateful firewalls I've seen certainly won't.

The Linux netfilter code, for example, considers a UDP packet to be
part of an "established" connection only if the source IP/port has
been swapped with the destination IP/port, and the "reply" is seen
with 30 seconds of the original packet.

I suspect that for many, many sites, DNS will break if RFC1035 7.3 is
implemented in its entirety.

-- 
James Ralston, Information Technology
Software Engineering Institute
Carnegie Mellon University, Pittsburgh, PA, USA



More information about the bind-workers mailing list