[nsd-users] How does NSD use TFO (TCP Fast Open)?

Wouter Wijngaards wouter at nlnetlabs.nl
Tue Jun 9 14:05:46 UTC 2020

Hi Anand,

On 09/06/2020 15:35, Anand Buddhdev via nsd-users wrote:
> Hello NSD developers,
> Did you see this email I sent a few days ago? I'd love to here from you,
> to better understand how NSD uses TFO.


> Regards,
> Anand
> On 03/06/2020 15:28, Anand Buddhdev via nsd-users wrote:
>> Hi NSD developers,
>> I see that NSD can be configured with --enable-tcp-fastopen. However,
>> the documentation doesn't say which parts of NSD use TFO.

NSD uses TCP fast open for servicing clients.  That is downstream
connections.  It is an authoritative server.  If enabled NSD uses it for
TCP streams, and also for TLS streams.

>> Does NSD use TFO as a client, when requesting XFR from a server?

No it does not.  NSD does perform session reuse, using the same tcp
stream again for XFR requests from a server, or asking multiple XFRs at
the same time.

>> Does NSD generate and provide TFO cookies to clients that request them?

No, but I guess the system may do that, when TFO is enabled with a
socket option.  But NSD can perform OCSP stapling with tls-service-ocsp,
if you want that.

>> Or does NSD do both of the above?
>> Is there any downside to enabling TFO? If not, why isn't it enabled by
>> default?

The option is there because the functionality is not present in all
kernels.  If you want it by default, that mostly depends on people with
older kernels and how that fails, if our users have recent systems we
could enable it by default I guess.

In many cases the user has to enable TFO support in the kernel of the
system with admin commands, you can see them in documentation, and I
think it is a surprise to enable the TFO in NSD by default for users
that have not enabled it?

Best regards, Wouter

> _______________________________________________
> nsd-users mailing list
> nsd-users at lists.nlnetlabs.nl
> https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users

More information about the nsd-users mailing list