On 2011-01-24 20.29, Henning Brauer wrote: > * Oliver Peter <[email protected]> [2011-01-24 15:13]: >> On Mon, Jan 24, 2011 at 01:33:53PM +0100, Henning Brauer wrote: >>> * Oliver Peter <[email protected]> [2011-01-24 11:56]: >>>> The tcp option in resolv.conf might be reasonable for a single workstation >>>> but due to the protocol overhead not appropriate for larger networks / many >>>> clients. >>> people keep claiming this bullshit. remains bullshit. >>>> The more I think about it... The only tcp connection you establish is from >> the host in question (i.e. workstation) to the resolver. >> The resolver then decides how to query the authoritative nameserver >> (udp/tcp), >> right? Aye? > almost. it'll be more than one. that could be circumvented by a small > local daemon, but that has other downsides. after all, the cost of > establishing a tcp session isn't all that high, especially to the > caching resolver which should be near aka low ttl. > > i even doubt it'd make much of a difference for a caching resolver. > tcp sessions to the root servers and the common tld servers should > stay established. dito for very commonly used other nameservers. the > rest, yes, there is a little higher overhead. does it matter? i doubt > it. but i have no numbers either. and thus, when i talk about the > matter, i make clear this is an educated guess, no more, no less.
Speaking about educated guesses, I personally have doubts about recommending the use of tcp only in the resolver, due to misconfigurations out there in the wild. I've seen cases where TCP access to port 53 have been blocked, both on the resolver and the server side, due no doubt to ignorance. That means, almost everything works almost all of the time, until someone tries a zone transfer, gets a large query result or comes along with a tcp only request. Indeed, the RFC:s have previously stated that implementing TCP is a "should", not a "must", which the good folks at IETF just recently seem to have put their foot down on: http://datatracker.ietf.org/doc/rfc5966/ So I guess my reservations will eventually end up being obsolete, but for the time being, I'd just stay on the safe side and continue allowing UDP. Regards, /Benny -- internetlabbet.se / work: +46 8 551 124 80 / "Words must Benny Lvfgren / mobile: +46 70 718 11 90 / be weighed, / fax: +46 8 551 124 89 / not counted." / email: benny -at- internetlabbet.se
