Keith Moore <moore@xxxxxxxxxxxxxxxxxxxx> wrote: > On 3/9/19 7:21 PM, Mark Andrews wrote: >> First of all, firewall vendors are changing their views on DNS. Lots of default blockage have gone and UPDATE is no more dangerous than QUERY. >> >> Checkpoint have removed their default QUERY blocks. Similarly Juniper have also remover their default blocks. If there are blocks on UPDATE they can similarly be removed. Nameservers that support UPDATE don’t need external protection. >> >> UPDATE has had fine grain authentication for 15+ years since the invention of TCP, TSIG and SIG(0). See update-policy in BIND for a example. TCP is still hard to spoof and is useful for some updates especially in the reverse tree. > Yes, but there are zillions of SOHO routers deployed that still implement > such blocks in firmware, are unlikely to be updated, and will be replaced > only slowly. SOHO routers are not enterprises, and most do rather fine today with mDNS. And homenet is making progress for front-end naming under the end-user's control. So, this is a red herring. > It's been awhile, but last time I looked, I couldn't find a single DNS > registry that implemented UPDATE. For better or worse, many organizations > (some large ones) use godaddy or similar services for their public-facing > DNS. Lots of dumb people out there :-) Many enterprises use primary DNS providers that expect a stealth primary and use AXFR. Most could support UPDATE if the customer asked for it, I think. (I worked for one for a year) -- Michael Richardson <mcr+IETF@xxxxxxxxxxxx>, Sandelman Software Works -= IPv6 IoT consulting =-
Attachment:
signature.asc
Description: PGP signature