North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Anycast 101
To add, there are also a lot of edge appliances (Company C appliances that start with P) that block 53/tcp >= 512B by default without admins realizing, hence EDNS gets actively blocked while normal DNS traffic works (this is a major issue for Enterprise Windows Admins.) On Fri, 17 Dec 2004 01:54:43 +0000, Suzanne Woolf <[email protected]> wrote: > > On Thu, Dec 16, 2004 at 07:59:58PM -0500, Steven M. Bellovin wrote: > > In message <[email protected]>, Crist Clark writes: > > > > > >Iljitsch van Beijnum wrote: > > > > > >> Due to limitations in the DNS protocol, it's not possible > > >> to increase the number of authoritative DNS servers for a zone beyond > > >> around 13. > > > > > >I believe you misspelled, "Due to people who do not understand the DNS > > >protocol being allowed to configure firewalls..." > > > > No, firewalls have nothing to do with it. Section 4.2.1 of RFC 1035 > > says: > > > > Messages carried by UDP are restricted to 512 bytes (not counting the IP > > or UDP headers). > > > > There's a large installed base of machines that conform to that limit > > and don't understand EDNS0. I'll leave the packet layout and > > arithmetic as an exercise for the reader (cheaters may want to run > > tcpdump on 'dig ns .' and examine the result), but the net result is > > what Iljitsch said: you can only fit about 13 servers into a response. > > Just because I feel like splitting hairs.... > > You're both right. As far as we (ISC) can tell, there are lots of > resolvers that authoritative servers can't send big packets to because > they don't grok EDNS0. There are also lots of resolvers that grok > EDNS0 behind firewalls that don't. Big fun can occur when the resolver > indicates EDNS0-compliance from behind such a firewall and keeps > asking because it thinks it's not getting answers....For extra credit, > try to deploy DNSSEC in this reality. > > It's not for nothing that we speak of extending the DNS protocol as > "rebuilding the airplane in flight" around here.... >
|