[dns-operations] No to port blocking! (Was: Why would an MTA issue an ANY query instead of an MX query?

Stephane Bortzmeyer bortzmeyer at nic.fr
Tue Jun 12 08:14:10 UTC 2012


On Tue, Jun 12, 2012 at 03:32:56AM +0000,
 Vernon Schryver <vjs at rhyolite.com> wrote 
 a message of 76 lines which said:

> Joe and Joan should be using their ISP's validating, load balancing,
> well (or at least somewhat) maintained DNS servers, just as they
> should be using their ISP's SMTP systems.

A strong NO here. Politically, it would be a big nail in Net
Neutrality's coffin. Also, many ISP have lying resolvers and customers
should NOT use them. From a security perspective, it would be
catastrophic since the last mile is not secured, so the only safe way
to run DNSSEC is to validate locally (which requires access to port 53
if the ISP resolver is lying).

I leave these proposals to MAAWG and the Chinese government.




More information about the dns-operations mailing list