From: Otto Date: Tue, 10 Aug 2021 07:22:52 +0000 (+0200) Subject: Google is working to fix their TFO issues on their DNS servers X-Git-Tag: dnsdist-1.7.0-alpha1~70^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F10639%2Fhead;p=thirdparty%2Fpdns.git Google is working to fix their TFO issues on their DNS servers --- diff --git a/pdns/recursordist/docs/performance.rst b/pdns/recursordist/docs/performance.rst index da1ba47dd1..b8b9ca663b 100644 --- a/pdns/recursordist/docs/performance.rst +++ b/pdns/recursordist/docs/performance.rst @@ -126,10 +126,10 @@ Please note that if active (outgoing) TCP Fast Open attempts fail in particular This behaviour can be monitored by watching the ``TCPFastOpenBlackHole`` kernel metric and influenced by setting the ``net.ipv4.tcp_fastopen_blackhole_timeout_sec`` sysctl. While developing active TCP Fast Open, it was needed to set ``net.ipv4.tcp_fastopen_blackhole_timeout_sec`` to zero to circumvent the issue, since it was triggered regularly when connecting to authoritative nameservers that did not respond. -At the moment of writing, the Google operated nameservers (both recursive and authoritative) indicate Fast Open support in the TCP handshake, but do not accept the cookie they sent previously and send a new one for each connection. -We can only hope Google will fix this issue soon. +At the moment of writing, some Google operated nameservers (both recursive and authoritative) indicate Fast Open support in the TCP handshake, but do not accept the cookie they sent previously and send a new one for each connection. +Google is working to fix this. -If you operate an anycast pool of machines, make them share the TCP Fast Open Key by setting the ``net.ipv4.tcp_fastopen_key`` sysctl, otherwise you will create a similar issue the Google servers have. +If you operate an anycast pool of machines, make them share the TCP Fast Open Key by setting the ``net.ipv4.tcp_fastopen_key`` sysctl, otherwise you will create a similar issue some Google servers have. To determine a good value for the :ref:`setting-tcp-fast-open` setting, watch the ``TCPFastOpenListenOverflow`` metric. If this value increases often, the value might be too low for your traffic, but note that increasing it will use kernel resources.