28 Dec
2018
28 Dec
'18
2:35 a.m.
There are major operators that still have STUPID firewall settings in front of DNS servers that drop SYN packets with ECE and CWR set 17 years after ECN was specified. Do you really want to add a second to EVERY DNS lookup that needs to use TCP? Modern OS actually attempt to use ECN by default. DNS is time critical enough without introducing unnecessary delays. If you have signed zones then TCP requests are almost certainly being made to your servers. EVERYONE TEST YOUR SERVERS FROM OUTSIDE YOUR NETWORK AND FIX THE BROKEN FIREWALLS THAT ARE FOUND. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org