DNS UDP or TCP?
Brad Knowles
brad.knowles at skynet.be
Thu Sep 27 01:35:08 UTC 2001
At 12:11 AM +0000 9/27/01, Barry Margolin wrote:
> (the limit is typically only exceeded by web hosting
> organizations that feel the need to create a PTR record for every A record,
> and they have thousands of names pointing to the same address).
For typical behaviour that may be true, but I'll take this
opportunity yet once again to warn people to avoid at all possible
costs causing truncation to occur with standard NS or MX queries for
a zone.
There are still far too many servers out there that do not
properly deal with truncations, and if you cause truncation to occur
for NS or MX queries, this can break all mail getting to/from your
site and a surprising number of other places on the 'net.
Also, if you are handling mail for a large site, do not list too
many MXes for your zone, or too many IP addresses for the set of
named MXes that you list.
For example, if you list nine MXes (or nine IP addresses), and
all nine of them are unreachable with connection timeouts, then it
will take eighteen minutes to cycle through that complete list of
MXes/IPs (two minutes per address), just to discover that none of
them are reachable and that one particular message cannot be
delivered at the moment to that recipient or set of recipients.
This doesn't sound too excessive with nine MXes/IPs, but with
sixteen MXes/IPs, it would take over thirty minutes. If you had
nine MXes with five IPs each (e.g., a total of 45 IPs), that would
take over ninety minutes to go through.
Since most sites on the Internet cause their queues to be flushed
roughly every hour or so, you would be causing queue processes to be
created faster than they can possibly be completed, potentially
resulting in the filling of all memory on the sending system and
causing it to crash. Multiply this out by large numbers of systems
across the world sending you mail, and you have a very, very serious
problem.
Besides, with something like four MXes and four IPs per MX, if
the sender got a "connection refused" at the first IP address for the
MX, then it would skip the other three IPs for that MX and go on to
the next MX on the list. This would pretty much eliminate the
usefulness of this bizarro scheme of load balancing.
Trust me, if you have a need to list this many MXes in the DNS,
you should be using L4 load balancing switches sitting in front of
the mail servers, and you should publish many, many fewer IP
addresses.
For those of you who may not remember (and for the advantage of
people searching the archives), at the time of the "Black Tuesday" 19
hour network outage at AOL, we had nine MXes listed in the DNS, and
each one had five IPs (actually, it was forty-five separate machines,
but this was the best way I could figure out to get all their IP
addresses listed).
Yes, this ended up taking out pretty much all mail across the
entire Internet. Yes, I was personally blamed for that, but I
learned my lesson. Unfortunately, it looks like AOL is now going
back to a scheme more like what we had just before the outage. ;-(
--
Brad Knowles, <brad.knowles at skynet.be>
H4sICIFgXzsCA2RtYS1zaWcAPVHLbsMwDDvXX0H0kkvbfxiwVw8FCmzAzqqj1F4dy7CdBfn7
Kc6wmyGRFEnvvxiWQoCvqI7RSWTcfGXQNqCUAnfIU+AT8OZ/GCNjRVlH0bKpguJkxiITZqes
MxwpSucyDJzXxQEUe/ihgXqJXUXwD9ajB6NHonLmNrUSK9nacHQnH097szO74xFXqtlbT3il
wMsBz5cnfCR5cEmci0Rj9u/jqBbPeES1I4PeFBXPUIT1XDSOuutFXylzrQvGyboWstCoQZyP
dxX4dLx0eauFe1x9puhoi0Ao1omEJo+BZ6XLVNaVpWiKekxN0VK2VMpmAy+Bk7ZV4SO+p1L/
uErNRS/qH2iFU+iNOtbcmVt9N16lfF7tLv9FXNj8AiyNcOi1AQAA
More information about the bind-users
mailing list