Worldnic does TCP-before-UDP DNS tricks, breaking powerdns recursor and those w/o TCP connectivity

Hi Nanog people,

The PowerDNS recursor has hit a snag resolving It
appears Worldnic has implemented 'TCP-before-UDP' on ns{9,10},
whereby it sends out answers with the truncated bit set, and without an
actual answer. Once the client has re-asked the query over TCP, it from then
on allows UDP queries. This is possibly done to prevent DoS attacks.

This hits those people who've been running the pdns recursor w/o heeding the
warning on stating our
inadequacies regarding truncated packets.

But is also hits everybody who only allows UDP port 53, which generally
works fine, except now! Recall the AOL huge packet event from way back. So
make sure your resolvers have TCP connectivity!

And yes, my message may read a bit like djb's back in the time AOL started
to use > 512 byte packets :slight_smile: The problem is solved in SVN luckily.

Apologies. But just a heads up that if you suddenly have non-working
Worldnic domains, you now know two possible causes.

A quick solution for PowerDNS recursor users is to run 'dig' periodically. Or upgrade to the SVN snapshot mentioned
below, but do note that it is experimental.

SVN snapshot solving the problem: