[98459] in North American Network Operators' Group
Re: large organization nameservers sending icmp packets to dns servers.
daemon@ATHENA.MIT.EDU (Paul Vixie)
Wed Aug 8 20:43:34 2007
From: Paul Vixie <paul@vix.com>
To: nanog@merit.edu
In-Reply-To: Your message of "Wed, 08 Aug 2007 17:22:10 MST."
<D1CBA722-0659-463F-9D85-1A806B11813A@mail-abuse.org>
Date: Thu, 09 Aug 2007 00:35:39 +0000
Errors-To: owner-nanog@merit.edu
> >> ... but a TCP connection will consume a
> >> significant amount of a name server's resources.
> >
> > ...wrong.
>
> Wanting to understand this comment, ...
the resources given a nameserver to TCP connections are tightly controlled,
as described in RFC 1035 4.2.2. so while TCP/53 can become unreliable during
high load, the problems will be felt by initiators not targets.
(this is why important AXFR targets have to be firewalled down to a very small
population of just one's own nameservers, and is why important zones have to
use unpublished primary master servers, and is why f-root's open AXFR of the
root zone is a diagnostic service not a production service.)
