Re: 512 byte limit

[Stephane Bortzmeyer]

On Thu, Jan 22, 2009 at 11:06:38AM +,
 Chris Thompson  wrote 
 a message of 28 lines which said:

>> As mentioned by Anton Korotin, the root name servers send answers > 512.
>
> Well not unless the EDNS flag and buffer size are set in the query, of 
> course.

Which BIND does by default.

> a, c, e, i & j.root-servers.net leave out both A and  records
>   for k, l & m, putting in all records for the others.
> b, d, f, g, h, k, l & m.root-servers.net include all the A records,
>   and leave out enough  records to make the answer fit.
>
> Both entirely legal, of course.

There was an Internet-Draft to formalize these sort of decisions, "DNS
Referral Response Size Issues". Section 2.3 "Advice to Server
Implementors" said:

   A delegation response should prioritize glue records as follows.

   first:
   All glue RRsets for one name server whose name is in or below the
   zone being delegated, or which has multiple address RRsets
   (currently A and ), or preferably both;
   second:
   Alternate between adding all glue RRsets for any name servers
   whose names are in or below the zone being delegated, and all
   glue RRsets for any name servers who have multiple address RRsets
   (currently A and );
thence:
   All other glue RRsets, in any order.

But the draft was never published and seems now dead
 :-(



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 512 byte limit

[Chris Thompson]

On Jan 22 2009, Stephane Bortzmeyer wrote:

[...]

As mentioned by Anton Korotin, the root name servers send answers > 512.


Well not unless the EDNS flag and buffer size are set in the query, 
of course.


This prompted me to look at what data is omitted from the additional
section of the response for NS records for the root, when they are
limited to 512 bytes. 


a, c, e, i & j.root-servers.net leave out both A and  records
  for k, l & m, putting in all records for the others.
b, d, f, g, h, k, l & m.root-servers.net include all the A records,
  and leave out enough  records to make the answer fit.

Both entirely legal, of course.

--
Chris Thompson
Email: c...@cam.ac.uk


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 512 byte limit

[Stephane Bortzmeyer]

On Wed, Jan 21, 2009 at 11:47:01AM -0500,
 Todd Snyder  wrote 
 a message of 38 lines which said:

> I am sure there is much in the RTFM category, and I will continue to
> RTFM,

The FM here is RFC 2671, published nine years ago (a lot of time in
Internet terms).

> We are seeing some firewall messages indicating that one of our FW's is
> getting DNS respones at 600ish btyes:
> 
> 2009 Jan 21 14:03:02 -- %FWSM: Dropped UDP DNS reply from /53 to
> yyy/2114; packet length 660 bytes exceeds configured limit of 512
> bytes

That is a badly configured firewall. Fire the guy who configured it,
and hire someone else, someone who knows about the things developed in
the last ten years.

As mentioned by Anton Korotin, the root name servers send answers > 512.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 512 byte limit

[Mark Andrews]

In message <46e76f620901210952s3a357724w44e08804484fb...@mail.gmail.com>, Josh 
Kuo writes:
> > 1) If a reply is over 512 bytes, which can't in theory be done via UDP,
> > should the queried server reply telling my resolver to ask again using
> > TCP?  Assuming, as one normally should, that there are firewalls, the
> > queried server can't simply reply TCP, as it would get blocked.
> 
> I am not sure about the UDP size question, but I am pretty sure this
> is a client behavior, i.e. the server does not send back a reply to
> tell the client to use TCP port, but client should try UDP, fails, and
> switch to using TCP.

Correction, the server sends back a UDP reply with TC set in the
flags.  The client then initiates a TCP based query.  Please
read RFC 1034 and RFC 1035.

Mark
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 512 byte limit

[Josh Kuo]

> 1) If a reply is over 512 bytes, which can't in theory be done via UDP,
> should the queried server reply telling my resolver to ask again using
> TCP?  Assuming, as one normally should, that there are firewalls, the
> queried server can't simply reply TCP, as it would get blocked.

I am not sure about the UDP size question, but I am pretty sure this
is a client behavior, i.e. the server does not send back a reply to
tell the client to use TCP port, but client should try UDP, fails, and
switch to using TCP.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 512 byte limit

[Anton Korotin]

On 1/21/09, Todd Snyder  wrote:
> Good day,

Hello,

>
>  I am stuggling to get my head around the 512 byte limit with regards to
>  DNS queries/responses.  I am sure there is much in the RTFM category,
>  and I will continue to RTFM, but I wanted to ask a couple of specific
>  questions.
>
>  1) If a reply is over 512 bytes, which can't in theory be done via UDP,

It was not possible until EDNS appeared.

>  should the queried server reply telling my resolver to ask again using
>  TCP?  Assuming, as one normally should, that there are firewalls, the
>  queried server can't simply reply TCP, as it would get blocked.

TC bit in reply header indicates that answer is truncated and the client
is supposed to resend the query via tcp.

Server can't simply reply with TCP as it's a connection-oriented protocol
and the TCP session is to be initiated by the client.

>  2) Further to above, are responses over 512 bytes permissable using UDP?
>  We are seeing some firewall messages indicating that one of our FW's is
>  getting DNS respones at 600ish btyes:
>
>  2009 Jan 21 14:03:02 -- %FWSM: Dropped UDP DNS reply from /53 to
>  yyy/2114; packet length 660 bytes exceeds configured limit of 512
>  bytes
>
>  I was under the (likely mistaken) impression that over 512 wasn't
>  allowed, but there it is ...
>
>  I could very well be completely messed up regarding the rules, so please
>  forgive my ignorance.  If you know my answer is in TFM, please batter me
>  about the head and tell me which FM at least :)

Answers longer than 512 bytes are valid if the client supports EDNS:
Please see the rfc2671 after the rfc1035.

You can easily receive a long reply with a command like this:
dig @a.root-servers.net . ns +bufszie=4096
Now it sends back a message of 643 bytes long. It works.

-- 
Anton
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 512 byte limit

[Niall O'Reilly]

On Wed, 2009-01-21 at 11:47 -0500, Todd Snyder wrote:
> I was under the (likely mistaken) impression that over 512 wasn't
> allowed, but there it is ...
> 
> I could very well be completely messed up regarding the rules, so
> please
> forgive my ignorance.  If you know my answer is in TFM, please batter
> me
> about the head and tell me which FM at least :)

The magic word is 'EDNS0'.  I don't know nearly as much 
about it as I ought to, but Googling for this word, 
I found a  short and readable explanation, with some 
suggestions for correcting badly-configured firewalls:

http://homepages.tesco.net/J.deBoynePollard/FGA/dns-edns0-and-firewalls.html

IHTH

/Niall


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

512 byte limit

[Todd Snyder]

Good day,

I am stuggling to get my head around the 512 byte limit with regards to
DNS queries/responses.  I am sure there is much in the RTFM category,
and I will continue to RTFM, but I wanted to ask a couple of specific
questions.

1) If a reply is over 512 bytes, which can't in theory be done via UDP,
should the queried server reply telling my resolver to ask again using
TCP?  Assuming, as one normally should, that there are firewalls, the
queried server can't simply reply TCP, as it would get blocked.

2) Further to above, are responses over 512 bytes permissable using UDP?
We are seeing some firewall messages indicating that one of our FW's is
getting DNS respones at 600ish btyes:

2009 Jan 21 14:03:02 -- %FWSM: Dropped UDP DNS reply from /53 to
yyy/2114; packet length 660 bytes exceeds configured limit of 512
bytes

I was under the (likely mistaken) impression that over 512 wasn't
allowed, but there it is ...

I could very well be completely messed up regarding the rules, so please
forgive my ignorance.  If you know my answer is in TFM, please batter me
about the head and tell me which FM at least :)

Cheers,

Todd.


-
This transmission (including any attachments) may contain confidential 
information, privileged material (including material protected by the 
solicitor-client or other applicable privileges), or constitute non-public 
information. Any use of this information by anyone other than the intended 
recipient is prohibited. If you have received this transmission in error, 
please immediately reply to the sender and delete this information from your 
system. Use, dissemination, distribution, or reproduction of this transmission 
by unintended recipients is not authorized and may be unlawful.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users