DNS Flag Day: I had to open the TCP/53 port

Stephan Lagerholm stephan at pi.nxs.se
Mon Feb 4 16:28:31 UTC 2019 

Hi Roberto,

You are correct in that the DNS Flag day tester at https://dnsflagday.net/
is reporting the closed TCP port as a serious problem. Given that the TCP
port is closed, obviously the EDNS test over TCP fails too and the error
given by the site would be something like: edns512tcp=timeout

To be RFC compliant you should have both UDP and TCP. Timeouts over UDP
can happen due to natural causes and it is good to give a resolver the
opportunity to fallback to TCP if needed even if you never expect your
server to respond with the Truncate bit set. But I would say the flag day
site is a little bit misleading since the question if TCP should be open
or not is somewhat of an orthogonal problem to EDNS compliance.

Hope this helps explaining the error you are seeing.

Stephan






On Mon, 4 Feb 2019, Salih CIRGAN wrote:

> rfc6891 states that it uses TCP to avoid truncated UDP responses. It is all about packet size,fragmentation and network load.
>
>
>
> EDNS(0) specifies a way to advertise additional features such as
>
>    larger response size capability, which is intended to help avoid
>
>    truncated UDP responses, which in turn cause retry over TCP.  It
>
>    therefore provides support for transporting these larger packet sizes
>
>    without needing to resort to TCP for transport.
>
>
>
> Announcing UDP buffer sizes that are too small may result in fallback
>
>    to TCP with a corresponding load impact on DNS servers.  This is
>
>    especially important with DNSSEC, where answers are much larger.
>
>
>
>
>
>
>
>
>
> From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf Of Roberto Carna
> Sent: Monday, February 4, 2019 4:46 PM
> To: ML BIND Users <bind-users at lists.isc.org>
> Subject: DNS Flag Day: I had to open the TCP/53 port
>
>
>
> Dear, I have a BIND 9.10 public server and I have delegated some public domains.
>
>
>
> When I test these domains with the EDNS tool offered in the DNS Flag Day webpage, the test was wrong wit just UDP/53 port opened to Internet.
>
>
>
> After that, when I opened also TCP/53 port, the test was succesful.
>
>
>
> Please can you explain me the reason I have to open TCP/53 port to Internet from February 1st to the future???
>
>
>
> Really thanks, regards.
>
>

More information about the bind-users mailing list