Aug. 21, 2017
2:23 p.m.
On 3 Aug 2017, at 7:33, Davey Song wrote:
Geoff reported that 17% of resolvers cannot ask a query in TCP. So probably in extreme case there are 0.34% of IPv6 resolvers around the world will fail to validate the answers. 0.34% of millions (if IPv6 dominant), It is not a trivial number.
Is the set of resolvers that cannot ask a TCP query (inversely) correlated with resolvers that do DNSSEC? I would assume that a DNSSEC capable resolver will happily resolve over TCP. I can't imagine that there is a 17% prevalence of TCP blocking firewalls. But who knows… —Olaf