[76615] in North American Network Operators' Group
Re: Anycast 101
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Fri Dec 17 12:05:13 2004
To: crist.clark@globalstar.com
Cc: "Steven M. Bellovin" <smb@research.att.com>,
Iljitsch van Beijnum <iljitsch@muada.com>,
NANOG list <nanog@nanog.org>
In-Reply-To: Your message of "Thu, 16 Dec 2004 17:18:12 PST."
<41C233D4.3010105@globalstar.com>
From: Valdis.Kletnieks@vt.edu
Date: Fri, 17 Dec 2004 12:04:17 -0500
Errors-To: owner-nanog-outgoing@merit.edu
--==_Exmh_26148896P
Content-Type: text/plain; charset=us-ascii
On Thu, 16 Dec 2004 17:18:12 PST, Crist Clark said:
> Into a UDP response. A resolver will recieve the first 512 bytes of the
> truncated response and may then use TCP to get the complete response...
> unless there is a firewall blocking 53/tcp in the way. But how often
> does that happpen?
You're new here, aren't you? ;)
It happens *all* *the* *time* (probably just as often as sites that block
all ICMP including 'frag needed' and wonder why PMTU Discovery breaks and
connections hang).
The *real* operational problem is that almost 100% of the time that there's
a firewall blocking 53/tcp, the person running the firewall is (a) unaware
that it's blocking it and (b) doesn't even realize that DNS *can* use TCP....
Quite often, there's even a "(c) they don't even know they have a firewall" just
to make things really interesting.
--==_Exmh_26148896P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFBwxGQcC3lWbTT17ARAjVgAJ99GQOwLSRccV6+WNrYMkee9SE74wCdEMIB
t9PMc0Cx6E0PG2OE7sBbM9k=
=s+kU
-----END PGP SIGNATURE-----
--==_Exmh_26148896P--
