[dns-operations] DNS deluge for x.p.ctrc.cc
Mark_Andrews at isc.org
Mon Feb 27 01:07:29 UTC 2006
> On Mon, 27 Feb 2006, Gadi Evron wrote:
> > Roland Dobbins wrote:
> >> I wasn't talking about just smurf-like with that type of
> >> amplification effect, nor just tricks like asking for 4K TXT records,
> >> etc.; rather, some interesting logical relationships that Dan and
> >> Mike have uncovered between some open recursive nameservers and
> >> heretofore unknown resolvers of one flavor or another.
> > I have a question someone here may be able to answer...
> > Rob mentioned earlier these should be limited to 512 ATM, as a best
> > practice - and as far as I see it, a band-aid stop-gap effort.... which
> > makes sense.
> > Some (I think it was Bill?) said this can kill some applications such as
> > DNS-SEC, now.. not to nitpick but I don't exactly see DNS-SEC around.
> > What other applications using larger packets would it break?
> > How large would the packets for these applications be? Surely if they
> > are, say, 1024, it's better than 4 K's.
> > :)
> Is it? Why?
> Its one UDP packet no matter what. The problem is really that
> packets > 1.4k will often result in fragmentation since typical
> MTU is 1500. So this is likely to be good limit to use for UDP
> DNS responses as well.
Hogwash. You need to look at the actual payloads and workout
where the correct break points are. To do that you need to look
at IPv6 + DNSSEC. We really don't want a large percentage of
queries falling back to TCP.
DNS/UDP was never intended to be fragmentation free. It's
just that technology has changed so that 64 byte mtus are
> BTW - personally I've never understood why original designers wanted
> to limit it to only 512 bytes and then go to TCP.
Minimum packet re-assembly buffers. 512 was a suitable
number less than 576.
> William Leibzon
> Elan Networks
> william at elan.net
> dns-operations mailing list
> dns-operations at lists.oarci.net
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the dns-operations