[dns-operations] Questions on DNS Flag day 2020 proposal

Jerry Lundström jerry at dns-oarc.net
Mon Jun 17 06:55:55 UTC 2019

Hi Davey,

On 6/17/19 8:12 AM, Davey Song wrote:
> 1) How to enhance and implement the idea of making DNS over TCP support
> mandatory. In 2019 flag day, I know the approach is to narrow the living
> space of authoritative servers to get a good performance from a updated
> resolver if they do not support EDNS. But as to TCP,  how to enhance it? We
> know that UDP queries from stub-resolver only trigger resolver sending UDP
> queries to authoritative server. What would happen if the authoritative
> server does not support TCP after a flag day in 2020? Does resolver monitor
> the TCP-readiness of authoritative server in advance and penalized it
> afterwards, or it changes the received UDP queries randomly (10%) to TCP
> queries against targeted authoritative server? Too complicated! Can we
> provide positive incentive other than penalty for this case ?
> 2) No matter how to implement it, it definitely exerts a huge pressure on
> authoritative DNS operators (huge of them) due to the performance of DNS
> over TCP. Did the guys who proposed this ever ask the opinion from the
> circle of authoritative DNS operators? Is there any vote or rough consensus
> from majority of them? And where? ICANN GNSO TechOps? I heard this complain
> because some of DNS operators feel strongly that they have been bullied
> even not being asked.
> As a technical guy, I fully understand and support the enhancement on
> interoperability of DNS protocol. But I'm doubt about this approach. I
> suggest do it by advocate the significance of the initiative, and leave
> enough time for the transition not by a change in a flag day.  IPv6
> transition may be not a good example, but it is mad to think about asking a
> website to turn of IPv4 in a flag day.

I'm mostly reading this as you think the proposal is "DNS over TCP only"
and my understanding is that it's not like that.

TCP should be preferred when otherwise the query would fragment over
UDP, to ensure that answer is complete and arrives.

The proposal is to change the default EDNS size to reflect common
network MTU sizes and stub/resolver/auth that plays by the book then it
will switch over to TCP if the answer is too big.

Now there are many "bad actors" everywhere, *-dns services not listening
on TCP, firewalls etc. This won't fix all of them and I really don't
think we should add penalty.

The majority of DNS will still be over UDP, _but TCP **MUST** work!_

> I also suggest we should continue this discussion and invite more people to
> join in case of giving people a bad impression as a "tyranny by the few".

Thanks for initiating the discussion here, the organization around DNS
flag day is currently a work in progress and we, DNS-OARC, just recently
took upon us to be the supporting organization around this.


We're using this mailing list as the initial discussion forum as it is
quite relevant to DNS operations. If this topic start crowding other
topics or if the community expresses it, we can move it to it's own
mailing list.


More information about the dns-operations mailing list