512 byte limit

[Anton Korotin]

On 1/21/09, Todd Snyder <tsnyder at rim.com> wrote:
> Good day,

Hello,

>
>  I am stuggling to get my head around the 512 byte limit with regards to
>  DNS queries/responses.  I am sure there is much in the RTFM category,
>  and I will continue to RTFM, but I wanted to ask a couple of specific
>  questions.
>
>  1) If a reply is over 512 bytes, which can't in theory be done via UDP,

It was not possible until EDNS appeared.

>  should the queried server reply telling my resolver to ask again using
>  TCP?  Assuming, as one normally should, that there are firewalls, the
>  queried server can't simply reply TCP, as it would get blocked.

TC bit in reply header indicates that answer is truncated and the client
is supposed to resend the query via tcp.

Server can't simply reply with TCP as it's a connection-oriented protocol
and the TCP session is to be initiated by the client.

>  2) Further to above, are responses over 512 bytes permissable using UDP?
>  We are seeing some firewall messages indicating that one of our FW's is
>  getting DNS respones at 600ish btyes:
>
>  2009 Jan 21 14:03:02 -- %FWSM: Dropped UDP DNS reply from xxxxxxxx/53 to
>  yyyyyyy/2114; packet length 660 bytes exceeds configured limit of 512
>  bytes
>
>  I was under the (likely mistaken) impression that over 512 wasn't
>  allowed, but there it is ...
>
>  I could very well be completely messed up regarding the rules, so please
>  forgive my ignorance.  If you know my answer is in TFM, please batter me
>  about the head and tell me which FM at least :)

Answers longer than 512 bytes are valid if the client supports EDNS:
Please see the rfc2671 after the rfc1035.

You can easily receive a long reply with a command like this:
dig @a.root-servers.net . ns +bufszie=4096
Now it sends back a message of 643 bytes long. It works.

-- 
Anton