[dns-operations] Writeup of Spring Workshop
Paul Vixie
paul at redbarn.org
Tue May 12 18:48:05 UTC 2015
Wolff, Nicholas (Nick) wrote:
> On 5/12/15, 1:29 PM, "Paul Vixie" <paul at redbarn.org> wrote:
>
>> can you rank the following in terms of (a) level of difficulty and MTTR,
>> and (b) your willingness to help?
>>
>> (1) make EDNS0 work near-universally
>> (2) use a new port number
>> (3) fix TCP/53
>>
>> i've listed them in my own ease-of-getting-there.
>>
>> my proposal is a tcp proxy which tunnels dns over http (in binary form,
>> no xml or json). to be released shortly.
>
>
> So maybe a stupid question but what is wrong with tcp on port 53
> specifically.
this has been discussed, here and elsewhere, quite a bit. you can start
here:
http://www.circleid.com/posts/20130913_on_the_time_value_of_security_features_in_dns/
there's also these:
http://www.mail-archive.com/dnsop@ietf.org/msg08377.html
http://www.mail-archive.com/dnsop@ietf.org/msg08382.html
and finally, this:
http://queue.acm.org/detail.cfm?id=1242499
> I understand what is wrong with tcp but why does the port 53
> part matter? Just because it¹s some known port to easily ddos? What are
> the alternatives? A different port with a different tcp syntax? Some
> mechanism with the udp truncation bit is set it then passes back a
> specific port to use over tcp?
>
> Sorry for the mass of questions just feel like I¹m missing a large piece
> of this discussion.
you apparently did. the port (53) matters only because of
originally-specified behaviour, which we would have to re-negotiate
using new signalling, which is not easier than "use a different port
number" nor "fix EDNS0" nor "define a standard HTTP/HTTPS proxy schema
for this."
vixie
--
Paul Vixie
More information about the dns-operations
mailing list