From: Joe Abley <jabley@hopcount.ca> Date: Fri, 26 Mar 2010 10:06:02 -0700
On 2010-03-26, at 06:40, Max Larson Henry wrote:
has someone experience in anycast ipv4 networks (to support DNS)?
"Never been done" "Dangerous" "TCP does not work" etc etc etc.
- Yes but as for DNS, anycast is essentially used for user requests (UDP) not to perform zone transfer(TCP).
As others have mentioned, TCP can generally be used for any DNS query, not just AXFR.
This becomes more important as DNS responses get bigger, e.g. responses from root servers due to the root zone containing DNSSEC information, see <http://www.root-dnssec.org/>.
If your nameserver can't be reached over TCP, it's likely that there are people who can't talk to your nameserver. This means your DNS records can't be found. This is a bad thing.
Here, in glorious LOLCAPS:
ALWAYS MAKE SURE YOUR DNS SERVER CAN BE REACHED OVER TCP TCP IS NOT JUST FOR ZONE TRANSFERS FIX YOUR FIREWALLS
:-)
Fix your security officers! I have talked to multiple security officers (who are generally not really knowledgeable on networks) who had 53/tcp blocked and none have yet agreed to change it. The last one told me that blocking 53/tcp is "standard industry practice" as per his firewall training. Point out what RFCs said simply bounced off of him. He said that if the protocols would not handle blocked 53/tcp, the protocols would have to be changed. Opening the port was simply not open to discussion. They don't seen to really care if things are broken and seem to feel that it is up to "the network" to accommodate their idea of normal firewall configuration. I will say that these were at federal government facilities. I hope the commercial world is a bit more in touch with reality. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751