North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: large organization nameservers sending icmp packets to dns servers.

  • From: Paul Vixie
  • Date: Wed Aug 08 20:39:41 2007

> >> ... but a TCP connection will consume a
> >> significant amount of a name server's resources.
> >
> > ...wrong.
> 
> Wanting to understand this comment, ...

the resources given a nameserver to TCP connections are tightly controlled,
as described in RFC 1035 4.2.2.  so while TCP/53 can become unreliable during
high load, the problems will be felt by initiators not targets.

(this is why important AXFR targets have to be firewalled down to a very small
population of just one's own nameservers, and is why important zones have to
use unpublished primary master servers, and is why f-root's open AXFR of the
root zone is a diagnostic service not a production service.)