Worldnic does TCP-before-UDP DNS tricks, breaking powerdns recursor and those w/o TCP connectivity

[bert hubert]

Hi Nanog people,

The PowerDNS recursor has hit a snag resolving www.kde-look.org. It
appears Worldnic has implemented 'TCP-before-UDP' on ns{9,10}.worldnic.com,
whereby it sends out answers with the truncated bit set, and without an
actual answer. Once the client has re-asked the query over TCP, it from then
on allows UDP queries. This is possibly done to prevent DoS attacks.

This hits those people who've been running the pdns recursor w/o heeding the
warning on http://doc.powerdns.com/built-in-recursor.html stating our
inadequacies regarding truncated packets.

But is also hits everybody who only allows UDP port 53, which generally
works fine, except now! Recall the AOL huge packet event from way back. So
make sure your resolvers have TCP connectivity!

And yes, my message may read a bit like djb's back in the time AOL started
to use > 512 byte packets :-) The problem is solved in SVN luckily.

Apologies. But just a heads up that if you suddenly have non-working
Worldnic domains, you now know two possible causes.

A quick solution for PowerDNS recursor users is to run 'dig www.kde-look.org
@ns9.worldnic.com' periodically. Or upgrade to the SVN snapshot mentioned
below, but do note that it is experimental.

Wiki: http://wiki.powerdns.com/projects/trac/
Message: http://mailman.powerdns.com/pipermail/pdns-users/2005-July/002414.html
SVN snapshot solving the problem: http://ds9a.nl/pdns/pdns-2.9.18-svn.tar.gz

-- 
http://www.PowerDNS.com      Open source, database driven DNS Software 
http://netherlabs.nl              Open and Closed source services