Re: [dns-operations] DNS Issue
* John Kristoff wrote: And why auditors do not like tcp53 open to public? They may have an outdated, naive view of what should be open and what shouldn't be? Show them the above and ask them why. I'd be curious what the response is. We have never seen TCP/53 in public beside strange examples or attack. TCP/53 ise superseded by EDNS0 TCP/53 is only needed for AXFR, allow TCP/53 only to(!) your primary NS DNS works over UDP There are more such answers. But the most prominent answer is: We marked it red, because it's a security risk. Close it! ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] DNS Issue
We've seen large companies' sysadmins being adamant that their firewall setup was correct and that we didn't know DNS .. .. even though every single article and test result proved otherwise .. Never underestimate stupidity and ignorance :) Mr Michele Neylon Blacknight Solutions ♞ Hosting Domains ICANN Accredited Registrar http://www.blacknight.co http://blog.blacknight.com/ Intl. +353 (0) 59 9183072 US: 213-233-1612 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Facebook: http://fb.me/blacknight Twitter: http://twitter.com/mneylon --- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] DNS Issue
* Joe Abley: The assumption is that firewall means device that keeps state. This could be a firewall, or a NAT, or an in-line DPI device, or something similar. We're not talking about stateless packet filters. I think you still can't serve UDP over IPv6 without per-client sate, keeping both full RFC conformance and interoperability with the existing client population. Pre-fragmentation to 1280 or so bytes isn't enough, you also have to generate atomic fragments. But the latter cannot be processed by some clients, so you cannot send out atomic fragments unconditionally (even if there were a socket option to do that). Many large servers do not even pre-fragment to 1280 bytes, so they rely on path MTU information in the destination cache for communication with clients on sub-1500-MTU links. I wonder when this statefullness of IPv6 UDP traffic will cause practical problems, probably as soon as the traffic levels exceeds what can be comfortably kept in the server cache. Enough ranting today. I suspect this issue will only get addressed when enough operators experience it first-hand, like the EDNS0 fallback issue. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] DNS Issue
On May 1, 2013, at 9:40 PM, Florian Weimer wrote: I wonder when this statefullness of IPv6 UDP traffic will cause practical problems, One rather suspects that there are many more implications to moving fragmentation to the endpoint nodes which have yet to be fully understood (for example, the negative effects of ICMPv6 overblocking on PMTU-D). --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] DNS Issue
-Original Message- From: Michele Neylon :: Blacknight mich...@blacknight.com Date: Wednesday, May 1, 2013 8:21 AM To: Lutz Donnerhacke l...@iks-jena.de Cc: dns-operati...@mail.dns-oarc.net dns-operati...@mail.dns-oarc.net Subject: Re: [dns-operations] DNS Issue We've seen large companies' sysadmins being adamant that their firewall setup was correct and that we didn't know DNS .. .. even though every single article and test result proved otherwise .. Never underestimate stupidity and ignorance :) Hanlon's razor... One of my favorites. :-) ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] DNS Issue
Florian Weimer f...@deneb.enyo.de wrote: I think you still can't serve UDP over IPv6 without per-client sate, keeping both full RFC conformance and interoperability with the existing client population. Pre-fragmentation to 1280 or so bytes isn't enough, you also have to generate atomic fragments. Or don't fragment and restrict the EDNS buffer size to 1280. I'm somewhat amazed that DNS-over-fragmented-UDP works as well as it does. See also https://www.usenix.org/conference/lisa12/dnssec-what-every-sysadmin-should-be-doing-keep-things-working Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] DNS Issue
* Tony Finch: Florian Weimer f...@deneb.enyo.de wrote: I think you still can't serve UDP over IPv6 without per-client sate, keeping both full RFC conformance and interoperability with the existing client population. Pre-fragmentation to 1280 or so bytes isn't enough, you also have to generate atomic fragments. Or don't fragment and restrict the EDNS buffer size to 1280. Unfortunately, that's still not compliant. Those responses can trigger ICMP Packet Too Big messages, and then you're supposed to generate atomic fragments (that is, send a single-packet unfragmented response with a Fragmentation header). It's one of those things in the IPv6 specification which should go, but 6man *loves* them, unfortunately. (By the way, if you've got a system which generates atomic fragments, you should set a lower EDNS buffer size than 1280.) ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] DNS Issue
Tony Finch wrote: ... don't fragment and restrict the EDNS buffer size to 1280. I'm somewhat amazed that DNS-over-fragmented-UDP works as well as it does. See also https://www.usenix.org/conference/lisa12/dnssec-what-every-sysadmin-should-be-doing-keep-things-working and: http://www.hpl.hp.com/techreports/Compaq-DEC/WRL-87-3.pdf ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] DNS Issue
In message alpine.lsu.2.00.1305011825160.19...@hermes-2.csi.cam.ac.uk, Tony F inch writes: Florian Weimer f...@deneb.enyo.de wrote: I think you still can't serve UDP over IPv6 without per-client sate, keeping both full RFC conformance and interoperability with the existing client population. Pre-fragmentation to 1280 or so bytes isn't enough, you also have to generate atomic fragments. Or don't fragment and restrict the EDNS buffer size to 1280. I'm somewhat amazed that DNS-over-fragmented-UDP works as well as it does. See also https://www.usenix.org/conference/lisa12/dnssec-what-every-sysadmin-should-be -doing-keep-things-working Which just moves the PMTUD problem to TCP which I can assure you is also a problem. Some of the ORG servers are configured like this and guess what it does not work well. Named now sets IPV6_USE_MIN_MTU to 1 on TCP sockets to avoid this as well. In theory this should impact on the MSS negotiation and the MTU for the connection has been reduced to 1280. Apple and FreeBSD (at least get this wrong). Bug reports have been filed with both vendors as well as a kernel patch for FreeBSD. In practice it results in fragmented TCP packets being sent but at least you avoid PMTUD one way. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
