> > It does, but normally only responses which are too long for UDP > > require the use of TCP. A recursive nameserver could mitigate this > > type of attack by lowering the maximum response size it is willing > > to send via UDP, forcing the use of TCP and thus a three-way > > handshake for larger responses. The tricky part is that setting > > the threshold too low can have serious performance impact. > > Note that in real deployments just this behavior has broken things > on occasion, as many firewall and other such policy application points > assume things like DNS resolution will only be UDP/53 transactions. That assumption has always been wrong. I would also dispute the "many" above. Most firewalls actually handle the transition to TCP perfectly fine. There are the odd few that are misconfigured. When that happens people complain because nameservers resolution fails. Either the dataset is "fixed" or the firewall is fixed. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@xxxxxxx _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf