[76990] in North American Network Operators' Group
Re: Broken PMTUD for . + TLD servers, was: Re: Smallest Transit MTU
daemon@ATHENA.MIT.EDU (Mark Andrews)
Mon Jan 10 06:43:01 2005
To: "Alexei Roudnev" <alex@relcom.net>
Cc: nanog@merit.edu
From: Mark Andrews <Mark_Andrews@isc.org>
In-reply-to: Your message of "Sun, 09 Jan 2005 23:59:58 -0800."
<0be701c4f6ea$61ab8f70$6401a8c0@alexh>
Date: Mon, 10 Jan 2005 22:42:28 +1100
Errors-To: owner-nanog-outgoing@merit.edu
> I receive DNS responses > 500 bytes every day (reported by PIX firewall). So
> it is an issue, no matter wgat is recomended in RFC.
And you most probable have EDNS clients (nameservers) inside
your firewall making EDNS queries which return EDNS responses
that are bigger than 512 bytes. EDNS has been standards
track for over 5 years now. The majority of the nameservers
in the world talk EDNS between themselves and have been for
several years now. Only a few queries caused the EDNS
response to exceed 512 bytes.
With the introduction of the AAAA records for A.GTLD-SERVERS.NET
and B.GTLD-SERVERS.NET any EDNS referral from the root
servers for COM/NET now exceeds 512 bytes (520 minimum).
A plain DNS referral to COM/NET is 509 bytes so any referal
for an name longer than xx.com is dropping glue records for
the COM/NET servers.
The correct thing to do is to fix your firewall to handle the
EDNS responses.
Mark
RFC 2671: Extension Mechanisms for DNS (EDNS0)
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org
