And we end up with responses over 500 bytes, game over.
Since when was DNS limited to only 500 byte responses?
If your DNS server, your resolver or your network has issues
handling TCP
DNS, then it's broken.
The issue is not my infrastructure, the problem is what happens when you go
over 500 bytes. First you have a TCP/IP setup overhead which is several
round trips. Second you have the problem of misconfigured firewalls.
A silly proportion of the traffic at the roots comes from misconfigured
firewalls that only accept DNS over UDP. When a fallback occurs these
systems can get into a wierd loop and just end up banging on the same record
until DDoS latches kick in and deep six the domain.
Phill
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡