Andrew Sullivan <a...@anvilwalrusden.com> wrote: > > In section 6, there's this: > > The server MUST NOT enforce these rules for a particular > client because it does not know if the client IP address belongs to a > single client or is, for example, multiple clients behind NAT. > > I don't think that MUST NOT is reasonable.
I think the recommended limits in that paragraph are OK only if viewed from the perspective of individual client programs. The above quote is correct in that there's no sensible way for the server to enforce the limit - never mind NAT, if a user starts up a second browser, will it be locked out of TCP queries until the first one closes its connection? I suggest: To mitigate the risk of unintentional server overload, DNS clients MUST take care to minimize the number of concurrent TCP connections made to any individual server. It is RECOMMENDED that for any given client - server interaction a client SHOULD limit itself to no more than one connection for regular queries, one for zone transfers and one for each protocol that is being used on top of TCP, for example, if the resolver was using TLS. Servers MAY impose limits on the number of concurrent TCP connections being handled for any particular client. These limits SHOULD be much looser than the client guidelines above, because it does not know if the client IP address belongs to a single client or is, for example, multiple resolvers on a single machine, or multiple clients behind NAT. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Faeroes: West or southwest 5 or 6, becoming variable 4, then becoming south or southeast 5 or 6. Moderate or rough. Occasional rain. Good, becoming moderate or poor. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop