- Date: Tue, 25 Nov 2003 15:35:36 +0000
>>>>> "lwc" == Conroy, Lawrence (SMTP) lwc@localhost writes:
lwc> Hi again Jim, folks, - Current resolvers do switch to TCP,
lwc> but I know of clients that only talk UDP. Yup, EDNS0 is a
lwc> solution, but these cut-down UDP-only DNS clients may well
lwc> not handle that either. Before the obvious "well, don't do
lwc> it" answer is elicited, Mobile Phones are small and can be
lwc> nasty environments with a laughable amount of memory and/or
lwc> ugly apologies for a networking API. In such limited
lwc> clients, a DNS answer with the truncation flag set is a fact
lwc> of life. I, for one, would like to use ENUM before this
lwc> situation improves (or hell freezes over, whichever comes
I share your enthusiasm for getting ENUM deployed soon. However I
don't care about the broken and useless DNS clients above. They're not
going to work in an ENUM world. Darwinism will take care of them. And
sure, the hardware constraints on a mobile phone software are ugly. But
if they've got enough hardware to do colour video, there should be
enough left over for a correct DNS resolver.
lwc> - By no means all DNS servers accept TCP queries. Even if
lwc> someone has configured the server to do so, firewalls outside
lwc> of their control may well block TCP traffic on port 53 - (it
lwc> has happened :).
Indeed. But if people don't know how to configure things properly,
they only have themselves to blame when something as fundamental as
DNS lookups break.
lwc> I would be surprised if full DNSSEC-capable resolvers turned
lwc> up in my mobile phone anytime soon, but maybe they can work
lwc> with a full resolver that does do DNSSEC.
Hmmm. This brings another set of problems: like establishing a trust
relationship and secure communication path to that full service
resolver. These might be just as hard/easy to solve as putting a full
DNSSEC validator in the phone.
lwc> Now, who's going to tell the IT Department that 53/UDP is not
lwc> enough? ... and finally, the hard bit - who's going to
lwc> explain to them why :(?
Pointing them at any decent book on firewalls or internet security
should do the trick. Like pp541-544 of "Building Internet Firewalls"