[knot-dns-users] Re: AXFR sender FINs 10% of the way through transfer

24 Bře 2024

...
   it's
shipped by default not being able to run reliably on the internet
 and has no big "before you open this" warning on the box?  it has cost
 me days, and cost other folk hours.  
 If you enabled debug logging, you would see the connection is closed
 due to IO timeout. 
i had debug logging enabled.  and that was one of the clues on the
trail.  but it was many steps from that to learning that the default is
a magic tunable that defaults to a value which is not viable on the real
internet.

...
  A high timeout value has other disadvantages. 
That's why it's
 configurable! 
while i appreciate the vuln, and appreciate that it is tunable, a
default which does not work on the intertubes and no prominent warning
is, imiho, not reasonable.  to quote one of the old dns dogs who was one
of the victims of this little adventure

    defaulting to 500ms" and apply it to both outgoing zone transfers
    and all other "normal" queries carried over TCP for a non-hidden
    publishing primary name server distributing non-trivial-sized zone
    files to secondaries which are geographically widely distributed
    seems like a recipe for disaster.

randy

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

[knot-dns-users] Re: AXFR sender FINs 10% of the way through transfer