If DNS/TCP is blocked at a firewall, then that firewall is badly
configured.
No doubt, but if we had all agreed to disregard problems due to
misconfiguration, we'd be having a very different discussion.
The people who run UltraDNS tell me that they've observed a widespread
resolver library bug that fails unpleasantly when a DNS TCP
transaction doesn't fit in a single TCP segment. The client
incorrectly concludes that the other end aborted the session and it
tries again immediately. They discovered this when an apparent DDOS
attack turned out in fact to be a whole lot of buggy resolvers trying
to fetch an RR set that had recently grown beyond 512 bytes.
You don't need to tell us that this shouldn't be a problem. But the
reality appears to be that we won't be able to use widespread DNS over
TCP for a long time, if ever. It's probably easier to roll out EDNS0,
even with all its problems.
Regards,
John Levine, johnl(_at_)iecc(_dot_)com, Primary Perpetrator of "The Internet
for Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor
"I shook hands with Senators Dole and Inouye," said Tom, disarmingly.
--
John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 330 5711
johnl(_at_)iecc(_dot_)com, Mayor, http://johnlevine.com,
Member, Provisional board, Coalition Against Unsolicited Commercial E-mail