On Aug 7, 2007, at 2:23 PM, Andrew Sullivan wrote:
On Tue, Aug 07, 2007 at 01:50:33PM -0700, Kevin Oberman wrote:
that security types (I mean those with a police/physical security background) don't must care for these arguments. It usually comes down to "lock and bar every door unless you can prove to them that there is a need to have the door unlocked".
...
The "need to have the door unlocked" is because that's the way the building is designed to fail its fireproofing. And the need to have the TCP port open is because that's the way the network protocol is designed to fail from UDP.
Ensuring an authoritative domain name server responds via UDP is a critical security requirement. TCP will not create the same risk of a resolver being poisoned, but a TCP connection will consume a significant amount of a name server's resources. ACLs restricting TCP fall-back is fairly common. For example, too many bytes might be placed into a domain's SPF records. While TCP offers a fallback mode of operation for this fairly common error, this fallback does not ensure oversize records are fixed promptly. TCP fallback on such records leaves open an opportunity to stage DDoS attacks when bad actors wishes to take down authoritative name servers while also attempting to poison resolvers. Here again, SPF might offer access to remote resolvers query for the records to be poisoned, isolate query ports, and time poison records. : ( http://www.ietf.org/internet-drafts/draft-ietf-dnsext-forgery- resilience-01.txt -Doug