I haven’t seen a final draft yet, so hopefully it’s not too late to suggest further additions :)
A talk [1] at DNS OARC 42 this morning reminded me of a common pitfall we might do well to point out in the document.
Beware of state in the network!
State holding middleware, e.g. firewalls, load-balancers, whether in discrete devices, or local to the nameserver host itself, e.g. connection tracking in Linux netfilter, often come with a default configuration not tuned in expectation of the high volumes of UDP seen at a DNS server. A typical failure scenario sees state tables are overrun, resulting in dropped packets.
Careful consideration should be made in regard to tuning how state is held in the network, is it needed at all?
dave
[1]
Real world challenges with large responses, truncation, and TCP