DNS UDP or TCP?

[Brad Knowles]

At 12:11 AM +0000 9/27/01, Barry Margolin wrote:

>                       (the limit is typically only exceeded by web hosting
>  organizations that feel the need to create a PTR record for every A record,
>  and they have thousands of names pointing to the same address).

	For typical behaviour that may be true, but I'll take this 
opportunity yet once again to warn people to avoid at all possible 
costs causing truncation to occur with standard NS or MX queries for 
a zone.

	There are still far too many servers out there that do not 
properly deal with truncations, and if you cause truncation to occur 
for NS or MX queries, this can break all mail getting to/from your 
site and a surprising number of other places on the 'net.


	Also, if you are handling mail for a large site, do not list too 
many MXes for your zone, or too many IP addresses for the set of 
named MXes that you list.

	For example, if you list nine MXes (or nine IP addresses), and 
all nine of them are unreachable with connection timeouts, then it 
will take eighteen minutes to cycle through that complete list of 
MXes/IPs (two minutes per address), just to discover that none of 
them are reachable and that one particular message cannot be 
delivered at the moment to that recipient or set of recipients.

	This doesn't sound too excessive with nine MXes/IPs, but with 
sixteen MXes/IPs, it would take over thirty minutes.   If you had 
nine MXes with five IPs each (e.g., a total of 45 IPs), that would 
take over ninety minutes to go through.

	Since most sites on the Internet cause their queues to be flushed 
roughly every hour or so, you would be causing queue processes to be 
created faster than they can possibly be completed, potentially 
resulting in the filling of all memory on the sending system and 
causing it to crash.  Multiply this out by large numbers of systems 
across the world sending you mail, and you have a very, very serious 
problem.


	Besides, with something like four MXes and four IPs per MX, if 
the sender got a "connection refused" at the first IP address for the 
MX, then it would skip the other three IPs for that MX and go on to 
the next MX on the list.  This would pretty much eliminate the 
usefulness of this bizarro scheme of load balancing.


	Trust me, if you have a need to list this many MXes in the DNS, 
you should be using L4 load balancing switches sitting in front of 
the mail servers, and you should publish many, many fewer IP 
addresses.



	For those of you who may not remember (and for the advantage of 
people searching the archives), at the time of the "Black Tuesday" 19 
hour network outage at AOL, we had nine MXes listed in the DNS, and 
each one had five IPs (actually, it was forty-five separate machines, 
but this was the best way I could figure out to get all their IP 
addresses listed).

	Yes, this ended up taking out pretty much all mail across the 
entire Internet.  Yes, I was personally blamed for that, but I 
learned my lesson.  Unfortunately, it looks like AOL is now going 
back to a scheme more like what we had just before the outage.  ;-(

-- 
Brad Knowles, <brad.knowles at skynet.be>

H4sICIFgXzsCA2RtYS1zaWcAPVHLbsMwDDvXX0H0kkvbfxiwVw8FCmzAzqqj1F4dy7CdBfn7
Kc6wmyGRFEnvvxiWQoCvqI7RSWTcfGXQNqCUAnfIU+AT8OZ/GCNjRVlH0bKpguJkxiITZqes
MxwpSucyDJzXxQEUe/ihgXqJXUXwD9ajB6NHonLmNrUSK9nacHQnH097szO74xFXqtlbT3il
wMsBz5cnfCR5cEmci0Rj9u/jqBbPeES1I4PeFBXPUIT1XDSOuutFXylzrQvGyboWstCoQZyP
dxX4dLx0eauFe1x9puhoi0Ao1omEJo+BZ6XLVNaVpWiKekxN0VK2VMpmAy+Bk7ZV4SO+p1L/
uErNRS/qH2iFU+iNOtbcmVt9N16lfF7tLv9FXNj8AiyNcOi1AQAA