[dns-operations] Limit on Name Servers & their IPs for a sub-domain

Mark Andrews marka at isc.org
Thu Jan 11 22:54:50 UTC 2018 

And if you were to do this today you would get a smaller number than 13

512-12-1-2-2-1-2-2-4-2-19-y*(15+16+28)+15

y needs to <=8 for this to remain positive

16 bytes for each A record.
28 bytes for each AAAA record.
15 bytes for each additional NS record.

If we ever get to the state where the roots are IPv6 only, 11 servers will fit.


> On 12 Jan 2018, at 2:47 am, John Kristoff <jtk at depaul.edu> wrote:
> 
> On Thu, 11 Jan 2018 15:11:00 +0000
> James Stevens <James.Stevens at jrcs.co.uk> wrote:
> 
>> I am aware of the "traditional" limit of 13 NS records for a sub-domain, 
>> is it considered that this still applies?
> 
> I don't think the magic number of 13 was codified in any early
> specifications but rather the 512-byte UDP message size limit was.
> 
> I'm sure I don't know the DNS history as well as some others on this
> list, but this in practice with IPv4 addresses in the additional section
> led to the reasonable and practical number of 13 name servers for the
> root.  It can probably now be chalked to up to an accident of history
> that the root uses the magic prime number 13 where it seems likely to
> remain indefinitely.  Now however with the addition of IPv6 and other
> things, the 512 limit has been breached.  See below for how that was
> possible.
> 
>> But, I only tested a small number of address - is there some reason 
>> (e.g. packet size, code restrictions, etc) that might mean more 
>> addresses would not scale?
> 
> EDNS0, which is in widespread provides a standard option to
> indicate support for a larger UDP messages. See IETF RFC 2671.
> 
> There is also the fall back to TCP, which has been around since the
> beginning.
> 
>> This suggests a theoretical unlimited servers for a sub-domain, so long 
>> as they are represented as additional IP Addresses against the same name.
> 
> In fact, miscreants invented the idea of so-called double fast flux
> (candidate for worst buzz phrase of all time :-) that effectively does
> that.
> 
>> Is there any practical / theoretical / recommend limit ?
> 
> This is largely subjective and dependent on situation, but some basic
> considerations are widely agreed upon.  For instance, at least two name
> servers, more may be better, but too many may just be diminishing
> returns and cost ineffective.
> 
> I tried to summarize some general guidance things in a presentation a
> few years ago, but a BCP, BCOP, or other accessible guidance document
> is probably not a bad thing to get written up on of these days.
> 
> John
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the dns-operations mailing list