spf-discuss
[Top] [All Lists]

Re: Forking SPF into The New SPF and SPF1

2004-06-07 15:33:41
On Mon, Jun 07, 2004 at 02:27:10PM -0700, Michel Py wrote:
I wrote "queries", not "transfers". To begin with, I looked at customers
access-lists this morning WRT DNS and I have not found a single one that
allowed DNS over TCP except for a little number of other DNS servers
that are known to transfer zones with the DNS server protected by the

So all of their firewalls are broken.  Gotcha. :)

have to explain me how you do that. At this point in time DNS queries
over TCP are not an option because a) they are largely untested and b)
they are blocked by almost every access-list in the world.

Says you.  To me, it sounds like the admin doesn't know DNS does UDP
and TCP.  (to note: every firewall I've ever setup or taken over supports
UDP and TCP, and all firewall appliances I've seen understand both should
be allowed when you say "service dns"...)

Note that it says permit udp, not permit tcp or permit ip.

Then they're broken IMHO.  The RFC is very clear that TCP is going
to happen sometimes, although it technically only specifies that
servers/clients "SHOULD" do TCP if the UDP response is truncated:

http://www.faqs.org/rfcs/rfc1123.html
         6.1.3.2  Transport Protocols

            DNS resolvers and recursive servers MUST support UDP, and
            SHOULD support TCP, for sending (non-zone-transfer) queries.
            Specifically, a DNS resolver or server that is sending a
            non-zone-transfer query MUST send a UDP query first.  If the
            Answer section of the response is truncated and if the
            requester supports TCP, it SHOULD try the query again using
            TCP.
[... snipped very nice discussion section ...]
                 However, it is also clear that some new DNS record
                 types defined in the future will contain information
                 exceeding the 512 byte limit that applies to UDP, and
                 hence will require TCP.  Thus, resolvers and name
                 servers should implement TCP services as a backup to
                 UDP today, with the knowledge that they will require
                 the TCP service in the future.



http://www.faqs.org/rfcs/rfc1035.html
4.2. Transport

The DNS assumes that messages will be transmitted as datagrams or in a
byte stream carried by a virtual circuit.  While virtual circuits can be
used for any DNS activity, datagrams are preferred for queries due to
their lower overhead and better performance.  Zone refresh activities
must use virtual circuits because of the need for reliable transfer.

The Internet supports name server access using TCP [RFC-793] on server
port 53 (decimal) as well as datagram access using UDP [RFC-768] on UDP
port 53 (decimal).

4.2.1. UDP usage

Messages sent using UDP user server port 53 (decimal).

Messages carried by UDP are restricted to 512 bytes (not counting the IP
or UDP headers).  Longer messages are truncated and the TC bit is set in
the header.


http://www.faqs.org/rfcs/rfc1912.html
   [...] You also run the risk of overflowing the 512- byte limit of a
   UDP packet in the response to an NS query.  If this happens, resolvers
   will "fall back" to using TCP requests, resulting in increased load
   on your nameserver.


-- 
Randomly Generated Tagline:
"To round out this virtual experience I recommend removing one of your
 socks and using it as a hand puppet. Hold the puppet up to one ear and
 have it say things like "This one's really funny!" followed by a loud
 maniacal laugh. (But sometimes, just for realism, have the sock say "I
 don't get it" in a soft whiney voice.)"         - Dilbert Homepage

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com

Attachment: pgp6hgr6CnM94.pgp
Description: PGP signature