Preparing for upcoming DNSSEC changes on 5/5

Laws, Peter C. plaws at ou.edu
Tue May 4 02:40:45 UTC 2010 

Yes, I get all that.  But earlier in the thread, I noted that:  

"Mine are all saying "x.x.x.x sent EDNS buffer size 4096" when I run the
dns-oarc.net test, which I assume is the default.  I, too, get the 3843 "at
least" value.

"Why would I set it to 3843?  Wouldn't I want it to be set to 4096 even if
*some* device between here and dns-oarc.net only allows that smaller value?"


We've already had one anecdote of someone that also got 3843, setting edns-udp-size, re-running the test and getting a smaller number.  Makes no sense to me to set it at less than the 4096-byte default unless *I* had faulty network equipment.


--
Peter Laws / N5UWY
National Weather Center / Network Operations Center / Web
University of Oklahoma Information Technology
plaws at ou.edu

________________________________________
From: marka at isc.org [marka at isc.org]
Sent: Monday, May 03, 2010 20:19
To: Laws, Peter C.
Cc: bind-users at isc.org
Subject: Re: Preparing for upcoming DNSSEC changes on 5/5

In message <4BDF4B79.4050101 at ou.edu>, Peter Laws writes:
> On 05/03/10 16:19, Mark Andrews wrote:
>
> > The test is a rough guide to the maximum packet size supported by the path.
>
> So what would be the point of using edns-udp-size to something even
> smaller?  None I can see ...
>
> What am I missing?

There is a difference between what the path is capable of and what
named will try to use.  Named will try 4096 and 512 bytes, by
default.

Lets say the path is only capable of handling unfragmented IPv4
packets.  You then have a path limit of ~1460 (depends on how many
IP in IP tunnels there are in the path).  If the response is bigger
that 1460 it won't get through, named will timeout, try a different
server, timeout, try a differnet server, timeout and then send
requests advertising a 512 byte buffer instead of 4096 which will
get through usually with TC set and named will then fallback to
TCP.

Now we do the same with a edns-udp-size set to 1460.  The response
will no longer be > 1460 so it is unlikely to be fragmented and it
gets through first time.  Depending upon where the response is
truncated it will have TC set or not.  Some parts of some responses
are optional.

We have eliminated 3 timeouts and a almost certain TCP query by
setting edns-udp-size to match the path characteristics.

Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list