DNS Flag Day: I had to open the TCP/53 port

Salih CIRGAN salih.cirgan at doruk.net.tr
Mon Feb 4 14:08:12 UTC 2019

rfc6891 states that it uses TCP to avoid truncated UDP responses. It is all about packet size,fragmentation and network load.


EDNS(0) specifies a way to advertise additional features such as

   larger response size capability, which is intended to help avoid

   truncated UDP responses, which in turn cause retry over TCP.  It

   therefore provides support for transporting these larger packet sizes

   without needing to resort to TCP for transport.


Announcing UDP buffer sizes that are too small may result in fallback

   to TCP with a corresponding load impact on DNS servers.  This is

   especially important with DNSSEC, where answers are much larger.





From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf Of Roberto Carna
Sent: Monday, February 4, 2019 4:46 PM
To: ML BIND Users <bind-users at lists.isc.org>
Subject: DNS Flag Day: I had to open the TCP/53 port


Dear, I have a BIND 9.10 public server and I have delegated some public domains.


When I test these domains with the EDNS tool offered in the DNS Flag Day webpage, the test was wrong wit just UDP/53 port opened to Internet.


After that, when I opened also TCP/53 port, the test was succesful.


Please can you explain me the reason I have to open TCP/53 port to Internet from February 1st to the future???


Really thanks, regards.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190204/f1bf9c05/attachment-0001.html>

More information about the bind-users mailing list