[dns-operations] Questions on DNS Flag day 2020 proposal
Jimmy Hess
mysidia at gmail.com
Wed Jul 3 18:40:29 UTC 2019
On Mon, Jun 24, 2019 at 1:19 AM Mark Andrews <marka at isc.org> wrote:
[snip]
"Performant" TCP is optional per the standard.
TCP connections are expected to an authoritative server normally
for administrative/diag purposes, replication/updates/zone transfer traffic
IXFR/AXFR, or when that authoritative server has already
responded to UDP query with a Truncate reply in response to a query,
and not routinely in any other case -- And these are the only
situations where limiting or denying TCP should affect normal queries.
Authoritative DNS deployments have the option of providing
maximal performance to the UDP service and providing
extremely limited performance to TCP service; Due to
the high overhead and state tracking requirements of
the TCP protocol -- a single malicious DNS resolver can
potentially block the TCP service by holding open and
consuming all connections.
Look at what STD 13 says about TCP connection policies:
"- The server should support multiple connections."
Note the use of word SHOULD not must. A DNS implementation
may choose to support only 1 or small number of simultaneous global
TCP connections, and reject/discard others, or block further
connections as SYN_Received unack'ed until someone else closes
a connection to the service.
> Deploying new features requires that the exception handling in the deployed code
> works as specified.
>
> TCP has never been optional.
> Mark
--
-JH
More information about the dns-operations
mailing list