RRSet size limitation lower than predicted by RDLENGTH field size

Tom Byrnes tomb at threatstop.com
Mon Apr 21 01:49:59 UTC 2008 

See below
-----Original Message-----
From: Danny Mayer [mailto:mayer at gis.net] 
Sent: Sunday, April 20, 2008 6:05 PM
To: Tom Byrnes
Cc: bind-users at isc.org
Subject: Re: RRSet size limitation lower than predicted by RDLENGTH field
size

Tom Byrnes wrote:
> We're pushing the limits of RRSet sizes for A records in the responses to
> queries for our lists, but we're finding that the practical limit is much
> lower than that predicted in the binary message format specs.
>  

What limits does you think you are pushing?

 
[Tom Byrnes] Maximum returned RRs in a single RRSet

> The octets in the RDLENGTH param (16 bit unsigned = 65535) should allow
> 16384 A records in a single RRSET using TCP, but the behavior we are
> observing in BIND is a limitation of 4096 A records.
>  

Your calculations are wrong since there's additional information sent in 
a DNS packet. 

[Tom Byrnes] Actually, my calculations were wrong because I ascribed all the
returns for a single RRSet as being in one RDATA field in a single RR. When
I did it the RIGHT way, with each RR having its own full RR header, taking
into account the TCP message length field, I found exactly why I was running
into the limit.

In any case DNS usually uses UDP and not TCP.

[Tom Byrnes] That depends entirely on the size of the RRSet. TCP DNS has
been specified since RFC1035.

 If the query 
client supports it it will use EDNS0 to send the responses.

[Tom Byrnes] Much more recent, and not remotely large enough for our needs,
nor widely enough supported in our target platforms: firewalls.

 In addition, 
since you apparently have too many addresses to fit in a UDP packet are 
exceeding the ability of the DNS to send it via UDP so it sends a 
truncated flag to indicate the the client that it needs to retry with TCP.


[Tom Byrnes] That's handled natively in bind, first return in a UDP packet
with TC set, the client then retries with TCP.

> We're using Bind 9.4.1-P1 on Gentoo.
>  
> Any ideas what's causing this, or how to fix it?
>  

Why do you have so many address records for a single name?
 
[Tom Byrnes] Because there are, at any given moment, that many, or more,
active bots on the Internet.


Danny

[Tom Byrnes] Thanks for your response, and sorry for wasting the list's
time. I guess that, at least, next time someone googles BIND DNS TCP RRSET
record limitation, they will, unlike me, find an answer ;-)


> Thanks in advance.
>  
> Tom Byrnes
> CTO
> ThreatSTOP
> 
> 
> 


No virus found in this incoming message.
Checked by AVG. 
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: 4/19/2008
11:31 AM

More information about the bind-users mailing list