large organization nameservers sending icmp packets to dns servers.

Patrick W. Gilmore patrick at
Tue Aug 7 20:10:17 UTC 2007

On Aug 7, 2007, at 3:45 PM, Valdis.Kletnieks at wrote:

> On Tue, 07 Aug 2007 14:38:06 EDT, "Patrick W. Gilmore" said:
>>> In addition, any UDP truncated response needs to be retried via
>>> TCP- blocking it would cause a variety of problems.
>> Since we are talking about authorities here, one can control the size
>> of ones responses.
> Barely.


The point is, if you are the authority, you know how big the packet  
is.  If you know it ain't over 512, then you don't need TCP.

Or are you saying you do?  Wouldn't it be 'incredibly stupid' for  
recursive servers to -require- TCP, even for < 512 byte packets?

>> Unless, of course, you are so incredibly stupid you can't figure out
>> the difference between an authority and a caching server.
> I wish people would keep straight what direction they're doing the  
> measurement,
> and for who's benefit.
> If *XYZ* wants to find which of their servers I'm closest to,  
> they'll most
> likely be poking at my *caching* nameservers, because that's where  
> my recursive
> query arrived from[1].
> So we're *not* talking about authorities here.  We're talking about  
> DNS servers
> that are quite possibly configured to not talk, or give only  
> partial results
> via UDP, to queries coming from outside the provider's network  
> (after all,
> those people probably *should* be using *their* provider's caching  
> DNS, right?)

Interesting.  You are suggesting that as a content provider, one  
should rely on measurements from random caching name servers around  
the Internet, many of which you admit yourself are configured not to  
respond to addresses outside their network?  Pardon me for not  
considering an idea you admit yourself wouldn't work.

But you are right, I totally missed that part of the conversation.   
Mea Culpa.

And in case anyone wasn't clear, yes, of course, running a recursive  
server that doesn't accept TCP53 will probably result in missing data  
your users want occasionally.

As for being "incredibly stupid", well, as I have said in private,  
calling a bunch of people rude names without even asking them why  
they are doing what you think is so stupid is .. uh .. probably not  
very bright. :)  Unless, of course, you want everyone else passing  
judgement on how you run your network without asking.


More information about the NANOG mailing list