RFC 1123 said DNS/TCP is a SHOULD. Most of the name servers in the
world actually implemented DNS/TCP. All the stub resolvers in the world
actually implemented DNS/TCP.
The problem is that a myth grew up that DNS/TCP was only for AXFR so
people configured firewalls to block DNS/TCP as a way of blocking AXFR.
And there are others that turned the SHOULD into MAY when reading RFC
1123.
There were also a few CPE vendors that appear to have not read RFC 1123
because if they had I fail to see how they can justify not supporting DNS/TCP.
Then there are idiotic CPE vendors like the one below that outright lie to
DNS/TCP queries. No where does any RFC permit that.
Mark
On 16/12/2015, at 12:00 AM, Jared Mauch <jared@xxxxxxxxxxxxxxx> wrote:
>
> There is the constant problem of the internet is viewed
> through the lens of a TCP{80,443} transport, but that's another topic.
>
> I'm talking about ALG that actively breaks things or exposes
> the end devices to increased attack surfaces due to devices that will
> never be properly maintained or are impossible to report defects against.
>
> I look at the work in DNSOP to document that queries over
> TCP are acceptable, but you end up with devices where they will never
> be upgraded and do this:
>
> https://www.cloudshark.org/captures/273da18d3057
>
> Returning REFUSED is certainly not the right policy choice here
> for a home gateway device.
>
> - Jared
>
> --
> Jared Mauch | pgp key available via finger from jared@xxxxxxxxxxxxxxx
> clue++; | http://puck.nether.net/~jared/ My statements are only mine.
>