Re: I don't need no stinking firewall!

About Merit

Services

Network

Resources & Support

Network Research

News

Events

Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Re: I don't need no stinking firewall!

From: Tony Finch
Date: Wed Jan 06 09:39:57 2010

List-archive: <http://mailman.nanog.org/mailman/nanog>
List-help: <mailto:nanog-request@nanog.org?subject=help>
List-id: North American Network Operators Group <nanog.nanog.org>
List-post: <mailto:nanog@nanog.org>
List-subscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>,<mailto:nanog-request@nanog.org?subject=subscribe>
List-unsubscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>,<mailto:nanog-request@nanog.org?subject=unsubscribe>

On Tue, 5 Jan 2010, Kevin Oberman wrote:
>
> I suspect at least part of this will soon get fixed due to DNSSEC.
> Blocking tcp/53 and packets over 512 bytes will cause user complaints
> and, after enough education, the problem will get fixed.

Yes. Remember the root zone is due to be signed within the next six
months, and many nameservers (BIND in particular) request DNSSEC data by
default. You WILL have to deal with large DNS replies SOON - the first
ones from the root servers will appear this month.

http://www.root-dnssec.org/

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
GERMAN BIGHT HUMBER: SOUTHWEST 5 TO 7. MODERATE OR ROUGH. SQUALLY SHOWERS.
MODERATE OR GOOD.

References:
- Re: I don't need no stinking firewall! Kevin Oberman

Prev by Date: Re: I don't need no stinking firewall!
Next by Date: Re: I don't need no stinking firewall!
Date Index
Thread Index
Author Index
Historical