Date: Fri, 13 Jun 2008 14:14:55 -0400 From: Jon Kibler <Jon.Kibler@aset.com>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Mark Price wrote: <SNIP>
From what I have read, public DNS servers should support both UDP and TCP queries. TCP queries are often used when a UDP query fails, or if the answer is over a certain length.
UDP is used for queries.
Sometimes.
TCP is used for zone transfers.
Yes.
If my server responded to TCP queries from anyone other than a secondary server, I would be VERY concerned.
If it does not, you should be very concerned. The RFCs (several, but I'll point first to good old 1122) allow either TCP or UDP to be used for any operation that will fit in a 512 byte transfer. (EDNS0 allows larger UDP.) TCP is to be used any time a truncated bit is set in a replay. If you ever send a large reply that won't fit in 512 bytes, the request will be repeated using a TCP connection. If you ignore these, your DNS is broken. It is even allowed under the spec to start out with TCP, as AXFR queries typically do. Yes, I realize that this is fairly common and it does not break much, but, should DNSSEC catch on, you might just find the breakage a bit worse than it is today and there is no reason to have even the slight breakage that is there now. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751