The Tue, Feb 06, 2001 at 08:29:56PM -0000, D. J. Bernstein wrote :
> Nilsson writes:
> > TCP and UDP are mandatory, regardless of query size.
>
> False. RFC 1123 _recommends_ TCP. Query size was explicitly identified
> as the reason for this recommendation: the authors believed that new DNS
> record types would someday require packets larger than 512 bytes.
RFC1035:
[...]
4.2. Transport
The DNS assumes that messages will be transmitted as datagrams or in a
byte stream carried by a virtual circuit. While virtual circuits can be
used for any DNS activity, datagrams are preferred for queries due to
their lower overhead and better performance. Zone refresh activities
must use virtual circuits because of the need for reliable transfer.
The Internet supports name server access using TCP [RFC-793] on server
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
port 53 (decimal) as well as datagram access using UDP [RFC-768] on UDP
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
port 53 (decimal).
My english is poor but if you cut TCP, you don't support TCP "as well"
as UDP.
[...]
> Of course, TCP is required for zone transfers, but zone transfers aren't
> required for servers. A pure secondary server, or a primary server that
> uses (say) rsync for replication, doesn't need outgoing zone transfers.
Point taken.
> I recommend against TCP service on DNS servers that don't need it. TCP
Even if it's not the point of the discussion, I wouldn't advise rsync then.
[...]
> Perhaps that's true for BIND. But my DNS server goes to great effort to
> help new DNS administrators create correct configurations, and it does
> _not_ provide lame root information by default. As I said, there's a
> cost to keeping that information up to date.
cat > /etc/cron.monthly/root-servers <<EOF
#!/bin/sh
dig @a.root-servers.net . ns > /var/named/root.db
ci -m"Mise à jour du `date +%Y-%m-%d`" -l /var/named/root.db
EOF
+ crontab entry.
I'd be surprised to find any security-conscious admin who can't handle that.
--
Ueimor
AFNIC / NIC-France
