[dns-operations] DNS deluge for x.p.ctrc.cc

Mark Andrews Mark_Andrews at isc.org
Mon Feb 27 01:07:29 UTC 2006 

> 
> On Mon, 27 Feb 2006, Gadi Evron wrote:
> 
> > Roland Dobbins wrote:
> >> I wasn't talking about just smurf-like with that type of
> >> amplification effect, nor just tricks like asking for 4K TXT records,
> >> etc.; rather, some interesting logical relationships that Dan and
> >> Mike have uncovered between some open recursive nameservers and
> >> heretofore unknown resolvers of one flavor or another.
> >
> > I have a question someone here may be able to answer...
> >
> > Rob mentioned earlier these should be limited to 512 ATM, as a best
> > practice - and as far as I see it, a band-aid stop-gap effort.... which
> > makes sense.
> >
> > Some (I think it was Bill?) said this can kill some applications such as
> > DNS-SEC, now.. not to nitpick but I don't exactly see DNS-SEC around.
> >
> > What other applications using larger packets would it break?
> >
> > How large would the packets for these applications be? Surely if they
> > are, say, 1024, it's better than 4 K's.
> > :)
> 
> Is it? Why?
> 
> Its one UDP packet no matter what. The problem is really that
> packets > 1.4k will often result in fragmentation since typical
> MTU is 1500. So this is likely to be good limit to use for UDP
> DNS responses as well.

	Hogwash.  You need to look at the actual payloads and workout
	where the correct break points are.  To do that you need to look
	at IPv6 + DNSSEC.  We really don't want a large percentage of
	queries falling back to TCP.

	DNS/UDP was never intended to be fragmentation free.  It's
	just that technology has changed so that 64 byte mtus are
	extremely rare:-)

> BTW - personally I've never understood why original designers wanted
> to limit it to only 512 bytes and then go to TCP.

	Minimum packet re-assembly buffers.  512 was a suitable
	number less than 576.

	Mark
 
> -- 
> William Leibzon
> Elan Networks
> william at elan.net
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the dns-operations mailing list