I remember looking at TFO some time ago. Our distribution, Oracle Linux, does not enable it server-side by default, so Knot DNS can't enable this feature server-side. We would have to adjust our kernel options to activate it. And even then, it's a bad idea, because we have multiple servers in clusters. A TFO cookie from one server may be replayed to another server, and would be invalid (this problem is similar to EDNS cookies). Even if we configure things carefully, and synchronise TFO cookies, and a client connects to a TFO-incapable server in our clusters, the benefit is lost.

We also don't enable TFO on the client side, because we don't have TFO-capable remotes.

In conclusion, we would not miss TFO at all. If it helps you to simplify code, please drop it.

Regards,

Anand Buddhdev

RIPE NCC

On Tue, 9 Dec 2025 at 10:47, Daniel Salzman via knot-dns-users <knot-dns-users@lists.nic.cz> wrote:

Hello Knot DNS users,

Knot DNS supports TCP Fast Open (when configured) in both the server and client roles for several years.
However, we have not observed any performance or other improvements from this technology so far. Since
removing it would simplify the code, I'm considering dropping the support for it. Is there anyone who would
miss TFO in Knot DNS?

For better XFR efficiency between Knots, https://www.knot-dns.cz/docs/latest/singlehtml/index.html#remote-pool-limit
works much better.

Thanks,
Daniel
--