[76590] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: Anycast 101

daemon@ATHENA.MIT.EDU (Crist Clark)
Thu Dec 16 20:18:44 2004

Date: Thu, 16 Dec 2004 17:18:12 -0800
From: Crist Clark <crist.clark@globalstar.com>
In-reply-to: <20041217005958.9B48F1AE89@berkshire.research.att.com>
To: "Steven M. Bellovin" <smb@research.att.com>
Cc: Iljitsch van Beijnum <iljitsch@muada.com>,
	NANOG list <nanog@nanog.org>
Reply-To: crist.clark@globalstar.com
Errors-To: owner-nanog-outgoing@merit.edu


Steven M. Bellovin wrote:

> In message <41C222C3.9020906@globalstar.com>, Crist Clark writes:
> 
>>Iljitsch van Beijnum wrote:
>>
>>
>>>Due to limitations in the DNS protocol, it's not possible 
>>>to increase the number of authoritative DNS servers for a zone beyond 
>>>around 13.
>>
>>I believe you misspelled, "Due to people who do not understand the DNS
>>protocol being allowed to configure firewalls..."
> 
> 
> No, firewalls have nothing to do with it.  Section 4.2.1 of RFC 1035 
> says:
> 
>    Messages carried by UDP are restricted to 512 bytes (not counting the IP
>    or UDP headers).
> 
> There's a large installed base of machines that conform to that limit 
> and don't understand EDNS0.  I'll leave the packet layout and 
> arithmetic as an exercise for the reader (cheaters may want to run 
> tcpdump on 'dig ns .' and examine the result), but the net result is 
> what Iljitsch said: you can only fit about 13 servers into a response.

Into a UDP response. A resolver will recieve the first 512 bytes of the
truncated response and may then use TCP to get the complete response...
unless there is a firewall blocking 53/tcp in the way. But how often
does that happpen?

The root servers sustaining the ensuing SYN flood is another issue.
-- 
Crist J. Clark                               crist.clark@globalstar.com
Globalstar Communications                                (408) 933-4387

home help back first fref pref prev next nref lref last post