On Tue, 26 Apr 2005, Florian Weimer wrote:
* Christopher L. Morrow:
its a both directions thing. Some folks dropped tcp/53 TO their AUTH servers to protect against AXFR's from folks not their normal secondaries.
Ugh. And they didn't think something like "permit tcp any any eq 53 established" was necessary?
that only helps for outbound from the server :( not: "Hey, this response is going to be too big, come back on TCP!" :(
Hopefully not. Resolvers MUST be able to make TCP connections to other name servers.
It seems that what might be more common is resolver code not handling the truncate request properly :(
Caching resolvers or stub resolvers? Caching resolvers would be quite surprising, but you never know.
I've seen Windows DNS servers misbehave in this way as well as some firewalls performing DNS cache/proxy for clients internal to enterprises... (the ms boxen doing it was cache servers of course)
Certainly, there are some applications which cannot cope with large RR sets (qmail comes to my mind).
oh, that has to suck for email delivery, eh? :(