26 Apr
2005
26 Apr
'05
7:09 p.m.
* Christopher L. Morrow:
its a both directions thing. Some folks dropped tcp/53 TO their AUTH servers to protect against AXFR's from folks not their normal secondaries.
Ugh. And they didn't think something like "permit tcp any any eq 53 established" was necessary?
Hopefully not. Resolvers MUST be able to make TCP connections to other name servers.
It seems that what might be more common is resolver code not handling the truncate request properly :(
Caching resolvers or stub resolvers? Caching resolvers would be quite surprising, but you never know. Certainly, there are some applications which cannot cope with large RR sets (qmail comes to my mind).