Wolff, Nicholas (Nick) wrote: > On 5/12/15, 1:29 PM, "Paul Vixie" <[email protected]> wrote: > >> can you rank the following in terms of (a) level of difficulty and MTTR, >> and (b) your willingness to help? >> >> (1) make EDNS0 work near-universally >> (2) use a new port number >> (3) fix TCP/53 >> >> i've listed them in my own ease-of-getting-there. >> >> my proposal is a tcp proxy which tunnels dns over http (in binary form, >> no xml or json). to be released shortly. > > > So maybe a stupid question but what is wrong with tcp on port 53 > specifically.
this has been discussed, here and elsewhere, quite a bit. you can start here: http://www.circleid.com/posts/20130913_on_the_time_value_of_security_features_in_dns/ there's also these: http://www.mail-archive.com/[email protected]/msg08377.html http://www.mail-archive.com/[email protected]/msg08382.html and finally, this: http://queue.acm.org/detail.cfm?id=1242499 > I understand what is wrong with tcp but why does the port 53 > part matter? Just because it¹s some known port to easily ddos? What are > the alternatives? A different port with a different tcp syntax? Some > mechanism with the udp truncation bit is set it then passes back a > specific port to use over tcp? > > Sorry for the mass of questions just feel like I¹m missing a large piece > of this discussion. you apparently did. the port (53) matters only because of originally-specified behaviour, which we would have to re-negotiate using new signalling, which is not easier than "use a different port number" nor "fix EDNS0" nor "define a standard HTTP/HTTPS proxy schema for this." vixie -- Paul Vixie _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
