Hi Anand,
On 09/06/2020 15:35, Anand Buddhdev via nsd-users wrote: > Hello NSD developers, > > Did you see this email I sent a few days ago? I'd love to here from you, > to better understand how NSD uses TFO. Sure. > > Regards, > Anand > > On 03/06/2020 15:28, Anand Buddhdev via nsd-users wrote: > >> Hi NSD developers, >> >> I see that NSD can be configured with --enable-tcp-fastopen. However, >> the documentation doesn't say which parts of NSD use TFO. NSD uses TCP fast open for servicing clients. That is downstream connections. It is an authoritative server. If enabled NSD uses it for TCP streams, and also for TLS streams. >> >> Does NSD use TFO as a client, when requesting XFR from a server? No it does not. NSD does perform session reuse, using the same tcp stream again for XFR requests from a server, or asking multiple XFRs at the same time. >> >> Does NSD generate and provide TFO cookies to clients that request them? No, but I guess the system may do that, when TFO is enabled with a socket option. But NSD can perform OCSP stapling with tls-service-ocsp, if you want that. >> >> Or does NSD do both of the above? >> >> Is there any downside to enabling TFO? If not, why isn't it enabled by >> default? The option is there because the functionality is not present in all kernels. If you want it by default, that mostly depends on people with older kernels and how that fails, if our users have recent systems we could enable it by default I guess. In many cases the user has to enable TFO support in the kernel of the system with admin commands, you can see them in documentation, and I think it is a surprise to enable the TFO in NSD by default for users that have not enabled it? Best regards, Wouter > _______________________________________________ > nsd-users mailing list > [email protected] > https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users _______________________________________________ nsd-users mailing list [email protected] https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
