On Fri, 2004-09-17 at 03:26, Simon Hobson wrote:
> At 1:31 pm -0700 16/9/04, Roy S. Rapoport wrote:
> > > I have a friend 8^) who wants to allow TCP DNS through the firewall. The
> >> firewall people are not keen to do this. Telling them that "the
> >> firewall is broken" unfortunately does not sway them. My friend needs
> >> examples of real Internet domain lookups that truncate and require TCP.
> >> Does anybody out there know of any?

> >
> >Why does it matter what other people have? Does your friend have a need for
> >TCP DNS? If so, he should be able to demonstrate the need based on his own
> >requirements, rather than someone else's requirements.

> I'd have thought that if the spec states that TCP is required, then
> TCP should be allowed. What is going on here is that the firewall
> people are saying that real-world DNS queries don't use TCP and so
> they won't allow it even though it breaks the specs.
> What the OP is asking for is some examples he can use to show that
> TCP really is used in real life, presumably because the argument "the
> specs require it and if we don't do it then sooner or later we'll
> have a strange and hard to diagnose DNS problem" hasn't persuaded
> them.
> I'd have thought that the 'need' for TCP is obvious - the spec says
> it can be used anytime a query result won't fit in a UDP packet. That
> for me is sufficient justification for allowing it, simply because we
> can't tell, in advance, what size the results will be to EVERY query
> we ever make in the future. Personally, I have enough headaches
> without adding something like that to try and diagnose !
> Simon

Real examples are given over and over again. The OP should check the
archives. Off the top of my head I believe resolving google requires use
of TCP.
G. Roderick Singleton
PATH tech