Compression / Pointers on returned queries
Kevin Darcy
kcd at chrysler.com
Thu Jun 5 03:48:22 UTC 2008
Mark Andrews wrote:
>> Brian Feeny wrote:
>>
>>>
>>>
>>>> -----Original Message-----
>>>> From: Mark_Andrews at isc.org [mailto:Mark_Andrews at isc.org]
>>>> Sent: Wednesday, June 04, 2008 9:57 PM
>>>> To: Brian Feeny
>>>> Cc: bind-users at isc.org
>>>> Subject: Re: Compression / Pointers on returned queries
>>>>
>>>>
>>>> Why do you care? As long as you get the answer in a single
>>>> packet it makes little to no difference. Also why are you
>>>> asking recurive queries? If you want to test authoritative
>>>> servers then you should be making non-recursive queries.
>>>> The server should also be configured not to accept recursive
>>>> queries from anywhere.
>>>>
>>>>
>>> Because a response of >512 bytes causes pain because of firewalls/etc that
>>> may drop the packets by default.
>>>
>>>
>> How old are these devices? RFC 2671 was published in August of 1999.
>>
>
> RFC 1034 was published in 1987. These boxes aren't even
> RFC 1034 compliant.
>
>
>> Note that you can configure named use 512 as its EDNS0 buffer size, to
>> get around middlebox obsolescence/brokenness. See "edns-udp-size" in the
>> ARM documentation.
>>
>> - Kevin
>>
>
> Which only works if the server talks EDNS which it doesn't.
>
I thought there were some versions of dig which silently advertised a 2K
buffer size, but either I was mistaken, or it's irrelevant in this case
anyway. This nameserver implementation/instance is indeed returning an
illegal response packet (verified with a packet trace), and any attempt
to use EDNS just results in a FORMERR response. Disgusting.
Mostly, though, I was responding to the comment "a response of >512
bytes causes pain because of firewalls/etc", which also shouldn't be an
issue if the middleboxes are reasonably modern and EDNS-aware. That
point is rather academic, however, when the responding server flagrantly
violates even older, more established standards...
Of course, the Akamai stuff _also_ technically violates standards by
allowing chained CNAMEs. I've known about that one for quite some time,
and raised that as an issue with them, but this latest
standards-violation is a new one on me.
- Kevin
More information about the bind-users
mailing list