Peter Dambier wrote: > Hello Martin, > > since a major outage at my provider, dtag.de or Deutsche Telecom AG, I have > trouble > with f.root-servers.net. Sometimes "dig ... +vc" does help me to see > f.root-servers.net. > > The real problem is anycast. With udp it behaves different than with tcp.
That's nonsense. anycast is invisible to this. anycast doesn't care if it's udp or tcp, it only deals with the routing tables to determine where to send the request packet. > > When querying servers that are difficult to reach, sometimes you are more > lucky with > tcp than with udp. Only if they are misconfigured. > > Amplification attacks using nameservers don't work with tcp. > > Sometimes bugs in resolvers sometimes in clients cause failover to tcp. > > With DNSSEC tcp is almost a must. Same with IPv6. > This is also untrue. DNSSEC has EDNS0 as a prerequisite and IPv6 fits into any EDNS0 packet unless there's too much for even for the larger EDNS0 packets. TCP is only required if the answer doesn't fit in the packet. There are lots of firewalls, etc. that do not handle EDNS0 but that is a different question. Danny _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
