Date: 17 Mar 2001 13:46:02 -0000 Message-ID: <20010317134602.7103.qmail@cr.yp.to> From: "D. J. Bernstein" To: namedroppers@ops.ietf.org Subject: Re: DNSEXT WGLC: AXFR Clarify References: <20010316112608.17239.qmail@cr.yp.to> <200103161409.f2GE94h59368@drugs.dv.isc.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Mark.Andrews@nominum.com writes: > They only "don't work" if you block AXFR. Blocking AXFR is now standard practice. As stated in the BIND book, 3rd edition, page 252: ``Even more important than controlling who can query your name server is ensuring that only your real slave name servers can transfer zones from your name server.'' > I think that checking the query id is > one of the cheaper checks that can be done. Thank you for sharing your opinion. Now please read RFC 2119, section 6: you are _not_ allowed to require or recommend behavior except ``where it is actually required for interoperation or to limit behavior which has potential for causing harm (e.g., limiting retransmissions).'' You are not allowed to ``try to impose a particular method on implementors where the method is not required for interoperability.'' [ server closing the connection rather than sending an error message ] > As I said it breaks the ability to get multiple AXFR responses > on one socket. False. I've explained how you can write a client that will correctly receive multiplexed AXFR responses from multiplexing AXFR servers, correctly receive a series of non-multiplexed AXFR responses from other servers, and handle errors properly. Any client that makes your naive ``connections will never close'' assumption is broken; consider what happens if the server loses power, for example. In the real world, client implementors open separate TCP connections for separate zone transfers, so your ``ability'' is a figment of your imagination. (Most server implementors don't even support nontrivial multiplexing; after all, why should they bother?) But you're still wrong when you say that the ability is broken by servers closing connections. ---Dan