packet too big
Michael Varre
bind9 at kishmish.com
Fri Jul 9 15:41:43 UTC 2004
> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
> Behalf Of Jim Reid
> Sent: Friday, July 09, 2004 11:37 AM
> To: Michael Varre
> Cc: bind-users at isc.org
> Subject: Re: packet too big
>
> >>>>> "Michael" == Michael Varre <bind9 at kishmish.com> writes:
>
> Michael> Yes, they are being blocked because they are larger than
> Michael> 512 bytes - I just don't understand why they are that
> Michael> large. Seems there should be a better explanation than
> Michael> just allowing larger packets through via a fixup.
>
> There is nothing in the DNS protocol that limits answers to 512 bytes.
> The string in a TXT record for instance can be up to 64 Kbytes. So it
> can't be assumed any answer from the DNS will be less than 512 bytes.
> That said, most DNS replies are < 512 bytes to avoid truncated
> reponses and retried queries over TCP. However this cannot be assumed
> or guaranteed. You have no way of controlling what data other people
> put in their zones and therefore how much data their name servers have
> to send in a query response. There's even a DNS protocol extension,
> EDNS0, which allows for bigger UDP payloads. This will be a Big Win
> for things like DNSSEC, ENUM & IPv6 which can make DNS responses much
> bigger than they have been in the past.
>
> If you have a firewall that's blocking DNS payloads of more than 512
> bytes (ie EDNS0 packets or DNS traffic over TCP), it's broken. It's
> that simple.
Ok, so plain and simple my pix should not be blocking dns packets larger
than 512bytes - it is an error on the pix's end.
I didn't want to do that unless it were the _correct_ fix - thanks for your
help everyone - hopefully the day will get better now :)
mv
More information about the bind-users
mailing list