[dns-operations] latest bind, EDNS & TCP

Simon Munton Simon.Munton at cdns.net
Mon Oct 13 08:55:07 UTC 2014

> Switching to TCP is quicker

I think this is a very short term view.

 From the packet trace I posted, you just have to look at the sheer 
number of packets, that running the same query over TCP causes, to have 
an idea of extra load this is going to put on TLD Name Servers if all 
resolvers start falling back to TCP at the drop of a hat.

Not to mention the fact that it means EVERY query is issued twice to the 
same name server. Even if the resolver ignores the answer, the workload 
on the name server is the same.

>   Most referrals even when signed will still fit in 512 bytes.

For most TLDs, for most referrals, this is *not* the case.

Most TLDs use NSEC3+OptOut and most registered zones within them don't 
sign, so an unsigned-referral proof is required.

I'm seeing in the region of ~600 bytes (580 to 620), 583 was the 
smallest I could find (without trying /too/ hard)

$ dig +norec +dnssec @a-dns.pl. far.pl

There is also the very high level of NXDOMAINs that TLDs often see to be 

More information about the dns-operations mailing list