Re: Anycast 101

• From: Alon Tirosh
• Date: Thu Dec 16 21:04:57 2004

• Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=gGA3gjPGr36jqsQwdbcbPcNhQ/Dav5d5jEigjUIu48uSh4Y+zgCg8whENaLP+E8ArBCIMjt24P+uBzhMco1bs1vqy+3Lwov3QP2T7BFfWdUxahaTz/NpvUj6S6/VhFJ7gBH3l7ZR6esQWRPV3PBWboewkrHTppeizBzr5eT1p/o=

To add, there are also a lot of edge appliances (Company C appliances
that start with P) that block 53/tcp >= 512B by default without admins
realizing, hence EDNS gets actively blocked while normal DNS traffic
works (this is a major issue for Enterprise Windows Admins.)


On Fri, 17 Dec 2004 01:54:43 +0000, Suzanne Woolf <[email protected]> wrote:
> 
> On Thu, Dec 16, 2004 at 07:59:58PM -0500, Steven M. Bellovin wrote:
> > In message <[email protected]>, Crist Clark writes:
> > >
> > >Iljitsch van Beijnum wrote:
> > >
> > >> Due to limitations in the DNS protocol, it's not possible
> > >> to increase the number of authoritative DNS servers for a zone beyond
> > >> around 13.
> > >
> > >I believe you misspelled, "Due to people who do not understand the DNS
> > >protocol being allowed to configure firewalls..."
> >
> > No, firewalls have nothing to do with it.  Section 4.2.1 of RFC 1035
> > says:
> >
> >    Messages carried by UDP are restricted to 512 bytes (not counting the IP
> >    or UDP headers).
> >
> > There's a large installed base of machines that conform to that limit
> > and don't understand EDNS0.  I'll leave the packet layout and
> > arithmetic as an exercise for the reader (cheaters may want to run
> > tcpdump on 'dig ns .' and examine the result), but the net result is
> > what Iljitsch said: you can only fit about 13 servers into a response.
> 
> Just because I feel like splitting hairs....
> 
> You're both right. As far as we (ISC) can tell, there are lots of
> resolvers that authoritative servers can't send big packets to because
> they don't grok EDNS0. There are also lots of resolvers that grok
> EDNS0 behind firewalls that don't. Big fun can occur when the resolver
> indicates EDNS0-compliance from behind such a firewall and keeps
> asking because it thinks it's not getting answers....For extra credit,
> try to deploy DNSSEC in this reality.
> 
> It's not for nothing that we speak of extending the DNS protocol as
> "rebuilding the airplane in flight" around here....
>

• References:
  • Re: Anycast 101 Crist Clark
  • Re: Anycast 101 Steven M. Bellovin
  • Re: Anycast 101 Suzanne Woolf

• Prev by Date: Re: Anycast 101
• Next by Date: Re: Anycast 101
• Date Index
• Thread Index
• Author Index
• Historical