<<< Chronological >>> Author Index    Subject Index <<< Threads >>>

Re: questions

  • To: "Conroy, Lawrence (SMTP)" < >
    Max Tulyev < >
  • From: Jim Reid < >
  • Date: Tue, 25 Nov 2003 15:35:36 +0000

>>>>> "lwc" == Conroy, Lawrence (SMTP) lwc@localhost writes:

    lwc> Hi again Jim, folks, - Current resolvers do switch to TCP,
    lwc> but I know of clients that only talk UDP.  Yup, EDNS0 is a
    lwc> solution, but these cut-down UDP-only DNS clients may well
    lwc> not handle that either.  Before the obvious "well, don't do
    lwc> it" answer is elicited, Mobile Phones are small and can be
    lwc> nasty environments with a laughable amount of memory and/or
    lwc> ugly apologies for a networking API.  In such limited
    lwc> clients, a DNS answer with the truncation flag set is a fact
    lwc> of life. I, for one, would like to use ENUM before this
    lwc> situation improves (or hell freezes over, whichever comes
    lwc> 1st).

I share your enthusiasm for getting ENUM deployed soon. However I
don't care about the broken and useless DNS clients above. They're not
going to work in an ENUM world. Darwinism will take care of them. And
sure, the hardware constraints on a mobile phone software are ugly. But
if they've got enough hardware to do colour video, there should be
enough left over for a correct DNS resolver.

    lwc>    - By no means all DNS servers accept TCP queries. Even if
    lwc> someone has configured the server to do so, firewalls outside
    lwc> of their control may well block TCP traffic on port 53 - (it
    lwc> has happened :).

Indeed. But if people don't know how to configure things properly,
they only have themselves to blame when something as fundamental as
DNS lookups break.

    lwc> I would be surprised if full DNSSEC-capable resolvers turned
    lwc> up in my mobile phone anytime soon, but maybe they can work
    lwc> with a full resolver that does do DNSSEC.

Hmmm. This brings another set of problems: like establishing a trust
relationship and secure communication path to that full service
resolver. These might be just as hard/easy to solve as putting a full
DNSSEC validator in the phone.

    lwc> Now, who's going to tell the IT Department that 53/UDP is not
    lwc> enough?  ... and finally, the hard bit - who's going to
    lwc> explain to them why :(?

Pointing them at any decent book on firewalls or internet security
should do the trick. Like pp541-544 of "Building Internet Firewalls"
(2nd edition).




  • Post To The List:
<<< Chronological >>> Author    Subject <<< Threads >>>