On Sun, Sep 20, 2020 at 12:43:41AM -0400, Predrag Punosevac wrote: > > > Hi Misc, > > I have been a double as a system admin for our small university research > group for a number of years now but every now and then I get reminded of > my own ignorance. One of those moments happened a month and a half ago > when pkg management tools stopped working on all my FreeBSD file servers > and jail hosts. After waisting an hour, I got to the bottom of my > problem. Namely, my caching DNS Unbound resolvers (obviously running of > OpenBSD) which also serve my LAN and DMZ authoritatively could no longer > resolve > > pkg.freebsd.org. > > After waisting another hour it became clear that authoritative DNS for > pkg.freebsd.org no longer was serving using UDP protocol and was > expecting my DNS resolver to use TCP instead of UDP for name queries. > For number of years I had in my /var/unbound/etc/unbound.conf line > > do-tcp: no > > even though I was aware that OpenBSD 6.7 is shipped with > > do-tcp: yes > > To make things worse I was blocking port TCP port 53. > > I am not much of a DNS expert but I was under impression that TCP was > only used for publishing record sets larger than 512 bytes. However, it > appears that I am mistaken. > > https://serverfault.com/questions/181956/is-it-true-that-a-nameserver-have-to-answer-queries-over-tcp > > That is not just a random garbage thread. The person whose answer was > accepted claims to be the author of RFC 5966. There is another > interesting post getting a lot of thumbs downs who is bringing back some > of old fights started by Daniel Bernstein. > > There is a second less illuminating thread > > https://serverfault.com/questions/404840/when-do-dns-queries-use-tcp-instead-of-udp > > According to above threads it appears that DNSSEC validation requires > TCP port 53 and do-tcp: yes to work properly. > > Could a kind soul who runs DNS for living point me to the documentation > which I can use to educate myself.
https://tools.ietf.org/html/rfc7766 says it all. The TCP requirement is related to DNSSEC because DNSSEC makes the DNS replies bigger, but the custom of dumping more and more into TXT records is another reason. The recommendation to use an UDP buffer size of 1232 to avoid big UDP packets and thus IP fragmentation also makes TCP fallback needed more often. See https://dnsflagday.net/2020/ For all practical purposes, setting up DNS without TCP is broken. -Otto
