[dns-operations] The possible problems after May 5th

Stephane Bortzmeyer bortzmeyer at nic.fr
Fri Apr 9 10:41:21 UTC 2010


On Fri, Apr 09, 2010 at 09:22:05AM +1000,
 Mark Andrews <marka at isc.org> wrote 
 a message of 41 lines which said:

> Apart for djbdns can you name another nameserver that doesn't listen
> for TCP by default?

Akamai's custom written from scratch closed name server. (Apparently,
they are in the process of deploying an EDNS-capable and TCP-capable
version.)

> They may have irewalls in front of them that block incoming TCP but
> they still listen.

Frankly, Mark, I do not understand you. Of course, the TCP problem is,
in 99.999 % of the cases, in a middlebox (such as a firewall), not in
the name server software. But what difference does it make? For the
domains indicated by Dempsky, the domain name cannot be resolved over
TCP, period. This is a common problem and it is something that must be
fixed before May 5th.

I can testify that the problem is common since AFNIC requires TCP to
work before an actual delegation of a .fr domain name and it makes a
lot of phone calls and angry emails. Very often, the problem is
difficult to solve precisely because it is hidden in a middlebox and
the name server manager does not understand it immediately. There is
no point in denying that, we should instead be busy spreading the
word: "Test and upgrade before May 5th". (Zonecheck
<http://www.zonecheck.fr/>, the program we use, is an ordinary DNS
client, it tries with TCP, if it fails, it fails, it cannot know where
the failure is.)

[Same thing for the UNability to receive answers > 512 or > 1500, of
course, it is not the name server software's fault but the result is
the same.]







More information about the dns-operations mailing list