I haven’t seen a final draft yet, so hopefully it’s not too late to suggest
further additions :)
A talk [1] at DNS OARC 42 this morning reminded me of a common pitfall we might
do well to point out in the document.
Beware of state in the network!
State holding middleware, e.g. firewalls, load-balancers, whether in discrete
devices, or local to the nameserver host itself, e.g. connection tracking in
Linux netfilter, often come with a default configuration not tuned in
expectation of the high volumes of UDP seen at a DNS server. A typical failure
scenario sees state tables are overrun, resulting in dropped packets.
Careful consideration should be made in regard to tuning how state is held in
the network, is it needed at all?
dave
[1]
Real world challenges with large responses, truncation, and TCP
<https://indico.dns-oarc.net/event/48/contributions/1036/>
--
To unsubscribe from this mailing list, get a password reminder, or change your
subscription options, please visit:
https://lists.ripe.net/mailman/listinfo/dns-wg
