EDNS would be nice if it was working, but the same guy who disabled tcp in the firewall somehow has shot EDNS too.
There are so many broken firewalls around nameservers that tcp is a must. It is not an EDNS or bind problem. It is the firewalls in between. Expect the worst but try to give your best says please keep tcp working. Cheers Peter traynham....@epamail.epa.gov wrote: > Please explain: > > With DNSSEC tcp is almost a must. Same with IPv6. > Is EDNS0 not sufficient? > > Thanks, > Ken > > Ken Traynham > Network Engineer, ITS-EPA CLIN9 > CSC > > 79 TW Alexander Drive, Building 4201, Durham NC 27709 > ITIS | p: 919.767.7059 | f: 919.767.7506 | traynham....@epa.gov > <mailto:traynham....@epa.gov> | www.csc.com <http://www.csc.com/> > > ---------------------------------------------------------------------------------------- > This is a PRIVATE message. If you are not the intended recipient, please > delete without copying and kindly advise us by e-mail of the mistake in > delivery. NOTE: Regardless of content, this e-mail shall not operate to bind > CSC to any order or other contract unless pursuant to explicit written > agreement or government initiative expressly permitting the use of e-mail for > such purpose. > ---------------------------------------------------------------------------------------- > > -----bind-users-boun...@lists.isc.org wrote: ----- > > To: bind-us...@isc.org > From: Peter Dambier <pe...@peter-dambier.de> > Sent by: bind-users-boun...@lists.isc.org > Date: 05/05/2009 05:31AM > Subject: Re: tcp versus udp > > Hello Martin, > > since a major outage at my provider, dtag.de or Deutsche Telecom AG, > I have trouble > with f.root-servers.net. Sometimes "dig ... +vc" does help me to see > f.root-servers.net. > > The real problem is anycast. With udp it behaves different than with > tcp. > > When querying servers that are difficult to reach, sometimes you are > more lucky with > tcp than with udp. > > Amplification attacks using nameservers don't work with tcp. > > Sometimes bugs in resolvers sometimes in clients cause failover to tcp. > > With DNSSEC tcp is almost a must. Same with IPv6. > > > Kind regards > Peter > > > > Martin McCormick wrote: > > When are tcp dns queries necessary? > > > > It was my understanding that clients could user tcp or > > udp. > > > > Martin McCormick WB5AGZ Stillwater, OK > > Systems Engineer > > OSU Information Technology Department Telecommunications Services > Group > > _______________________________________________ > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > > -- > Peter and Karin Dambier > Cesidian Root - Radice Cesidiana > Rimbacher Strasse 16 > D-69509 Moerlenbach-Bonsweiher > +49(6209)795-816 (Telekom) > +49(6252)750-308 (VoIP: sipgate.de) > mail: pe...@peter-dambier.de > http://www.peter-dambier.de/ > http://iason.site.voila.fr/ > https://sourceforge.net/projects/iason/ > ULA= fd80:4ce1:c66a::/48 > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > > > > ------------------------------------------------------------------------ > > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: pe...@peter-dambier.de http://www.peter-dambier.de/ http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ ULA= fd80:4ce1:c66a::/48 _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
