Side-effects of edns-udp-size 512
Ray Van Dolson
rvandolson at esri.com
Mon May 3 16:34:13 UTC 2010
On Fri, Apr 30, 2010 at 11:55:48PM -0700, Cathy Almond wrote:
> Hi Ray,
>
> I'd recommend not using type 'any' in your tests - the results won't
> always be what you expect. ANY is a diagnostic query type - and what a
> recursive nameserver does when it receives it will depend on what it has
> already in cache - sometimes it will answer with what it has already,
> and sometimes it will go off and make onward queries. What happens to
> be in cache at the moment the query is received and not the
> edns-udp-size setting is the more likely explanation for what you're
> observing.
>
> Cathy
Thanks Cathy, that makes sense.
I believe having edns-udp-size set at 512 gives us maximum
compatibility with anything out there behind a broken firewall, etc,
though we should look at removing the limit at some point in the future
when possible.
Ray
>
> Ray Van Dolson wrote:
> > Have been doing some testing[1] of our firewalls and DNS servers for
> > the upcoming signing of the last root server and ran into something I'm
> > not completely sure about.
> >
> > The tests in the ISC post[1] from earlier this year run fine when
> > pointed directly at the L server (IOW, our firewalls do handle this
> > just fine), but, in the past we'd set edns-udp-size 512 on our internal
> > resolvers to work around some _remote_ domains that didn't play nice
> > with EDNS or larger packet sizes.
> >
> > Yeah, I know it's probably better from a "good netizen" standpoint to
> > not use this parameter and instead try to get remote sites that cause
> > problems to fix their environments, but... that's how it is for now.
> >
> > Now, when I re-run the tests in the ISC post[1] pointing at our local
> > resolver instead of the L server, many of the larger responses come
> > back truncated.
> >
> > For example the query:
> >
> > dig +dnssec +norec +ignore any . @<resolver>
> >
> > On a BIND server _without_ edns-udp-size 512 set returns the full list
> > of servers in the "additional" section. However, on the server that
> > _does_ have edns-udp-size 512 set, we only get back three of the root
> > servers.
> >
> > Now, is this directly the result of us limiting edns via UDP to 512
> > bytes or is our DNS server not reassembling fragmented packets to
> > correctly form the entire response?
> >
> > What other potential side effects might we run into from using
> > edns-udp-size 512? It was my understanding that there really shouldn't
> > be any -- thinsg should just keep working as always, but these tests
> > have given me some pause.
> >
> > Thanks!
> >
> > Ray
> >
> > [1] https://lists.isc.org/mailman/htdig/bind-users/2010-February/078755.html
More information about the bind-users
mailing list