[dns-operations] Software that refuses an answer by QTYPE if it comes over plain UDP?

Olafur Gudmundsson ogud at ogud.com
Thu Mar 17 15:24:50 UTC 2016

> On Mar 16, 2016, at 7:45 AM, Tony Finch <dot at dotat.at> wrote:
> Dave Warren <davew at hireahit.com> wrote:
>> Yet CloudFlare went further, disabling them over TCP as well. I'm a little
>> disappointed by this as they're certainly a timesaver when troubleshooting
>> (although I suppose that doesn't make any difference to them)
> Hmm. Thinking about it further, you're probably right that from the point
> of view of avoiding bad effects from abuse, it's OK to give a full reply
> to ANY over TCP. I've amended my BIND patch to do that. (link below)
> Cloudflare have two reasons for minimal ANY responses: to quell abusive
> clients, and to avoid query amplification in the back-end of their DNS
> implementation. Their servers are on-demand DNSSEC signing proxies, and
> it's hard for them to assemble an ANY response. So they don't want to do
> it over TCP almost as much as over UDP.

The third reason is to give resolvers small answers they can cache and return, if we answered with a big answers over TCP then
I’m sure someone will modify resolver code to do all ANY queries over TCP, if the original ANY query returns only one RRset :-(. 

Olafur (from CloudFlare) 

More information about the dns-operations mailing list