bind vs djbdns
D. J. Bernstein
75628121832146-bind at sublist.cr.yp.to
Wed Aug 30 17:00:11 UTC 2000
David R. Conrad writes:
> In djbdns, support for TCP is optional and requires a separate step
False. TCP is automatically supported for _outgoing_ queries, i.e.,
looking up other people's records. There are a few sites with big
records; djbdns (unlike BIND, and unlike most applications based on the
BIND client library) has no problem looking them up.
TCP is rejected by default for _incoming_ queries, i.e., other people
looking up our records. As the FAQ entry says:
DNS-over-TCP is much slower than DNS-over-UDP and is inherently
much more vulnerable to denial-of-service attacks. Most sites have no
need to provide TCP service and should not set it up.
You will need to provide TCP service if you are allowing zone
transfers, or if your registrar foolishly checks for TCP service, or
if you want to provide record sets over 512 bytes (which won't work
with most clients anyway).
The FAQ entry goes on to explain how the sites in these situations can
set up TCP service. But typical sites, like mine, simply don't need it.
As for the bogus ``violation of RFC 1035'' claim: The current spec on
this topic is RFC 1123, which recommends TCP support. The rationale for
the recommendation is that it was ``clear'' eleven years ago that UDP
would not suffice for typical sites ``in the future.'' Anyway, there's
no requirement.
---Dan
More information about the bind-users
mailing list