[dns-operations] Limit on Name Servers & their IPs for a sub-domain

John Kristoff jtk at depaul.edu
Thu Jan 11 15:47:01 UTC 2018


On Thu, 11 Jan 2018 15:11:00 +0000
James Stevens <James.Stevens at jrcs.co.uk> wrote:

> I am aware of the "traditional" limit of 13 NS records for a sub-domain, 
> is it considered that this still applies?

I don't think the magic number of 13 was codified in any early
specifications but rather the 512-byte UDP message size limit was.

I'm sure I don't know the DNS history as well as some others on this
list, but this in practice with IPv4 addresses in the additional section
led to the reasonable and practical number of 13 name servers for the
root.  It can probably now be chalked to up to an accident of history
that the root uses the magic prime number 13 where it seems likely to
remain indefinitely.  Now however with the addition of IPv6 and other
things, the 512 limit has been breached.  See below for how that was
possible.

> But, I only tested a small number of address - is there some reason 
> (e.g. packet size, code restrictions, etc) that might mean more 
> addresses would not scale?

EDNS0, which is in widespread provides a standard option to
indicate support for a larger UDP messages. See IETF RFC 2671.

There is also the fall back to TCP, which has been around since the
beginning.

> This suggests a theoretical unlimited servers for a sub-domain, so long 
> as they are represented as additional IP Addresses against the same name.

In fact, miscreants invented the idea of so-called double fast flux
(candidate for worst buzz phrase of all time :-) that effectively does
that.

> Is there any practical / theoretical / recommend limit ?

This is largely subjective and dependent on situation, but some basic
considerations are widely agreed upon.  For instance, at least two name
servers, more may be better, but too many may just be diminishing
returns and cost ineffective.

I tried to summarize some general guidance things in a presentation a
few years ago, but a BCP, BCOP, or other accessible guidance document
is probably not a bad thing to get written up on of these days.

John



More information about the dns-operations mailing list