ietf
[Top] [All Lists]

Re: Checksum at IP layer - is it even needed ?

2015-12-15 17:07:27
RFC 1123 said DNS/TCP is a SHOULD.  Most of the name servers in the
world actually implemented DNS/TCP.  All the stub resolvers in the world
actually implemented DNS/TCP.

The problem is that a myth grew up that DNS/TCP was only for AXFR so
people configured firewalls to block DNS/TCP as a way of blocking AXFR.

And there are others that turned the SHOULD into MAY when reading RFC
1123.

There were also a few CPE vendors that appear to have not read RFC 1123
because if they had I fail to see how they can justify not supporting DNS/TCP.

Then there are idiotic CPE vendors like the one below that outright lie to
DNS/TCP queries.  No where does any RFC permit that.

Mark

On 16/12/2015, at 12:00 AM, Jared Mauch 
<jared(_at_)puck(_dot_)Nether(_dot_)net> wrote:

      There is the constant problem of the internet is viewed
through the lens of a TCP{80,443} transport, but that's another topic.

      I'm talking about ALG that actively breaks things or exposes
the end devices to increased attack surfaces due to devices that will
never be properly maintained or are impossible to report defects against.

      I look at the work in DNSOP to document that queries over
TCP are acceptable, but you end up with devices where they will never
be upgraded and do this:

https://www.cloudshark.org/captures/273da18d3057

Returning REFUSED is certainly not the right policy choice here
for a home gateway device.

      - Jared

-- 
Jared Mauch  | pgp key available via finger from 
jared(_at_)puck(_dot_)nether(_dot_)net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.