Hi Roberto, You are correct in that the DNS Flag day tester at https://dnsflagday.net/ is reporting the closed TCP port as a serious problem. Given that the TCP port is closed, obviously the EDNS test over TCP fails too and the error given by the site would be something like: edns512tcp=timeout
To be RFC compliant you should have both UDP and TCP. Timeouts over UDP can happen due to natural causes and it is good to give a resolver the opportunity to fallback to TCP if needed even if you never expect your server to respond with the Truncate bit set. But I would say the flag day site is a little bit misleading since the question if TCP should be open or not is somewhat of an orthogonal problem to EDNS compliance. Hope this helps explaining the error you are seeing. Stephan On Mon, 4 Feb 2019, Salih CIRGAN wrote: > rfc6891 states that it uses TCP to avoid truncated UDP responses. It is all > about packet size,fragmentation and network load. > > > > EDNS(0) specifies a way to advertise additional features such as > > larger response size capability, which is intended to help avoid > > truncated UDP responses, which in turn cause retry over TCP. It > > therefore provides support for transporting these larger packet sizes > > without needing to resort to TCP for transport. > > > > Announcing UDP buffer sizes that are too small may result in fallback > > to TCP with a corresponding load impact on DNS servers. This is > > especially important with DNSSEC, where answers are much larger. > > > > > > > > > > From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of > Roberto Carna > Sent: Monday, February 4, 2019 4:46 PM > To: ML BIND Users <bind-users@lists.isc.org> > Subject: DNS Flag Day: I had to open the TCP/53 port > > > > Dear, I have a BIND 9.10 public server and I have delegated some public > domains. > > > > When I test these domains with the EDNS tool offered in the DNS Flag Day > webpage, the test was wrong wit just UDP/53 port opened to Internet. > > > > After that, when I opened also TCP/53 port, the test was succesful. > > > > Please can you explain me the reason I have to open TCP/53 port to Internet > from February 1st to the future??? > > > > Really thanks, regards. > > _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
