>> it's shipped by default not being able to run reliably on the internet
>> and has no big "before you open this" warning on the box? it has cost
>> me days, and cost other folk hours.
>
> If you enabled debug logging, you would see the connection is closed
> due to IO timeout.
i had debug logging enabled. and that was one of the clues on the
trail. but it was many steps from that to learning that the default is
a magic tunable that defaults to a value which is not viable on the real
internet.
> A high timeout value has other disadvantages. That's why it's
> configurable!
while i appreciate the vuln, and appreciate that it is tunable, a
default which does not work on the intertubes and no prominent warning
is, imiho, not reasonable. to quote one of the old dns dogs who was one
of the victims of this little adventure
defaulting to 500ms" and apply it to both outgoing zone transfers
and all other "normal" queries carried over TCP for a non-hidden
publishing primary name server distributing non-trivial-sized zone
files to secondaries which are geographically widely distributed
seems like a recipe for disaster.
randy
--
