North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Anycast 101

  • From: Crist Clark
  • Date: Thu Dec 16 20:20:05 2004

Steven M. Bellovin wrote:

In message <[email protected]>, Crist Clark writes:

Iljitsch van Beijnum wrote:

Due to limitations in the DNS protocol, it's not possible to increase the number of authoritative DNS servers for a zone beyond around 13.
I believe you misspelled, "Due to people who do not understand the DNS
protocol being allowed to configure firewalls..."

No, firewalls have nothing to do with it. Section 4.2.1 of RFC 1035 says:

Messages carried by UDP are restricted to 512 bytes (not counting the IP
or UDP headers).

There's a large installed base of machines that conform to that limit and don't understand EDNS0. I'll leave the packet layout and arithmetic as an exercise for the reader (cheaters may want to run tcpdump on 'dig ns .' and examine the result), but the net result is what Iljitsch said: you can only fit about 13 servers into a response.
Into a UDP response. A resolver will recieve the first 512 bytes of the
truncated response and may then use TCP to get the complete response...
unless there is a firewall blocking 53/tcp in the way. But how often
does that happpen?

The root servers sustaining the ensuing SYN flood is another issue.
Crist J. Clark                               [email protected]
Globalstar Communications                                (408) 933-4387