[76590] in North American Network Operators' Group
Re: Anycast 101
daemon@ATHENA.MIT.EDU (Crist Clark)
Thu Dec 16 20:18:44 2004
Date: Thu, 16 Dec 2004 17:18:12 -0800
From: Crist Clark <crist.clark@globalstar.com>
In-reply-to: <20041217005958.9B48F1AE89@berkshire.research.att.com>
To: "Steven M. Bellovin" <smb@research.att.com>
Cc: Iljitsch van Beijnum <iljitsch@muada.com>,
NANOG list <nanog@nanog.org>
Reply-To: crist.clark@globalstar.com
Errors-To: owner-nanog-outgoing@merit.edu
Steven M. Bellovin wrote:
> In message <41C222C3.9020906@globalstar.com>, Crist Clark writes:
>
>>Iljitsch van Beijnum wrote:
>>
>>
>>>Due to limitations in the DNS protocol, it's not possible
>>>to increase the number of authoritative DNS servers for a zone beyond
>>>around 13.
>>
>>I believe you misspelled, "Due to people who do not understand the DNS
>>protocol being allowed to configure firewalls..."
>
>
> No, firewalls have nothing to do with it. Section 4.2.1 of RFC 1035
> says:
>
> Messages carried by UDP are restricted to 512 bytes (not counting the IP
> or UDP headers).
>
> There's a large installed base of machines that conform to that limit
> and don't understand EDNS0. I'll leave the packet layout and
> arithmetic as an exercise for the reader (cheaters may want to run
> tcpdump on 'dig ns .' and examine the result), but the net result is
> what Iljitsch said: you can only fit about 13 servers into a response.
Into a UDP response. A resolver will recieve the first 512 bytes of the
truncated response and may then use TCP to get the complete response...
unless there is a firewall blocking 53/tcp in the way. But how often
does that happpen?
The root servers sustaining the ensuing SYN flood is another issue.
--
Crist J. Clark crist.clark@globalstar.com
Globalstar Communications (408) 933-4387
