[dns-operations] Software that refuses an answer by QTYPE if it comes over plain UDP?
Olafur Gudmundsson
ogud at ogud.com
Thu Mar 17 15:24:50 UTC 2016
> On Mar 16, 2016, at 7:45 AM, Tony Finch <dot at dotat.at> wrote:
>
> Dave Warren <davew at hireahit.com> wrote:
>>
>> Yet CloudFlare went further, disabling them over TCP as well. I'm a little
>> disappointed by this as they're certainly a timesaver when troubleshooting
>> (although I suppose that doesn't make any difference to them)
>
> Hmm. Thinking about it further, you're probably right that from the point
> of view of avoiding bad effects from abuse, it's OK to give a full reply
> to ANY over TCP. I've amended my BIND patch to do that. (link below)
>
> Cloudflare have two reasons for minimal ANY responses: to quell abusive
> clients, and to avoid query amplification in the back-end of their DNS
> implementation. Their servers are on-demand DNSSEC signing proxies, and
> it's hard for them to assemble an ANY response. So they don't want to do
> it over TCP almost as much as over UDP.
>
The third reason is to give resolvers small answers they can cache and return, if we answered with a big answers over TCP then
I’m sure someone will modify resolver code to do all ANY queries over TCP, if the original ANY query returns only one RRset :-(.
Olafur (from CloudFlare)
More information about the dns-operations
mailing list