matt@credibleinstitution.org (Matt F) writes:
Why not just require TCP for a lookup if a response with an incorrect TXID is received? You could require TCP for just the one lookup or for some configured interval, say 1 hour. That should slow attackers down substantially.
because TCP is considered optional by many authority DNS server operators. it's only required if you expect AXFR or if you ever emit a TC bit. if you don't want to do TCP then you can rule out the TC bit and AXFR and just not do TCP, and you'll be dead-to-rights within the various DNS protocol RFCs. anyone who insists on reaching such a server by TCP will be shit-outta-luck. however, this suggestion and dozens of others are being workshopped all day every day by actual DNS experts. you may not know about those discussions because they are not occurring on nanog@, where they would be off-topic, like this thread here. please join namedroppers@ops.ietf.org and perhaps dns-operations@lists.oarci.net if you want to discuss DNS protocol matters. please, please, please don't open this can of, um, worms on nanog@ again. not even on a sunday afternoon when just about anything goes. -- Paul Vixie -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.