Date: Tue, 7 Aug 2007 23:32:21 -0600 From: "Jason J. W. Williams" <williamsjj@digitar.com>
The answer is simple- because they are supposed to be allowed. By disallowing them you are breaking the agreed upon rules for the protocol. Before long it becomes impossible to implement new features because you can't be sure if someone else hasn't broken something intentionally.
I don't really have a dog in this fight about TCP 53. It does seem to me that it's a bit black and white to treat the RFCs as religious texts. It's important to follow them wherever possible, but frankly they don't foresee the bulk of the future security issues that usually materialize. So if a feature of the RFC isn't working for you security-wise, I believe it's your call to break with it there. As someone else said, don't complain when it breaks other things as well however.
It is worth noting that we are not talking about just RFCs here, but STD or "Internet Standards". RFCs are a variety of things, but when they become Internet Standards, they are supposed to be mandatory. That said, the STD makes opening TCP/53 non-mandatory as it is labeled as a "SHOULD", not a "MUST". Those blocking tcp/53 maybe stupid to do so, but they are only violating a strong recommendation and not a requirement. As is often pointed out, blocking port 53 will eventually almost certainly break something and I have yet to see a good argument for blocking TCP/53.
If you don't like the rules- then change the damned protocol. Stop just doing whatever you want and then complaining when other people disagree with you.
I think its possible to disagree without calling other folks stupid...
While the folks blocking or suggesting blocking TCP/53 may not be stupid, the act blocking it is. (Intelligent people do stupid things.) -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751