North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Anycast 101

  • From: Suzanne Woolf
  • Date: Thu Dec 16 20:55:55 2004

On Thu, Dec 16, 2004 at 07:59:58PM -0500, Steven M. Bellovin wrote:
> In message <[email protected]>, Crist Clark writes:
> >
> >Iljitsch van Beijnum wrote:
> >
> >> Due to limitations in the DNS protocol, it's not possible 
> >> to increase the number of authoritative DNS servers for a zone beyond 
> >> around 13.
> >
> >I believe you misspelled, "Due to people who do not understand the DNS
> >protocol being allowed to configure firewalls..."
> No, firewalls have nothing to do with it.  Section 4.2.1 of RFC 1035 
> says:
>    Messages carried by UDP are restricted to 512 bytes (not counting the IP
>    or UDP headers).
> There's a large installed base of machines that conform to that limit 
> and don't understand EDNS0.  I'll leave the packet layout and 
> arithmetic as an exercise for the reader (cheaters may want to run 
> tcpdump on 'dig ns .' and examine the result), but the net result is 
> what Iljitsch said: you can only fit about 13 servers into a response.

Just because I feel like splitting hairs....

You're both right. As far as we (ISC) can tell, there are lots of
resolvers that authoritative servers can't send big packets to because
they don't grok EDNS0. There are also lots of resolvers that grok
EDNS0 behind firewalls that don't. Big fun can occur when the resolver
indicates EDNS0-compliance from behind such a firewall and keeps
asking because it thinks it's not getting answers....For extra credit,
try to deploy DNSSEC in this reality.

It's not for nothing that we speak of extending the DNS protocol as
"rebuilding the airplane in flight" around here....