not all name servers advertise right edns0 size limit?

Mark Andrews marka at isc.org
Mon Mar 25 00:51:20 UTC 2013 

In message <2013032507232012562410 at gmail.com>, "Liu Mingxing" writes:
> Dear,
> 
> dig some domain to some resolvers and name servers before find that they 
> do not advertise right reply size limit, even though in fact they support 
> of sufficient size.
> when the resolver 114.114.114.114 is queried, it return the result as the 
> following.  
> root at localhost ~#  dig @114.114.114.114 com any  +dnssec +bufsize=4096 
> ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 <<>> @114.114.114.114 com any 
> +dnssec +bufsize=4096
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10405
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;com.                           IN      ANY
> 
> ;; ANSWER SECTION:
> com.                    84506   IN      RRSIG   DNSKEY 8 1 86400 
> 20130329182533 20130322182033 30909 com. 
> bkJL6r7iv1PLxVSGbJczd2uMvndJA8lFVDPL+hIo08YjRlhD10qnewEW 
> uIrCABkPy6xS79hHu3oXMoNjucZ8BdKxgrZf7ZnQ4Iv7IwzSPI62qaWQ 
> t7sngLctJqPvxBccRYwfz+R0lv/gELnwvK2XX+xxIgDACMorkdEnzPQh 
> utZS/PrhqVpqicyxMIqCssSu2Vphj7Xe7Y+EkNzjUIBXaXbMfHDFPpsv 
> 0a2Pkec5BWj8NtKDN9LlCx0KXvwTsl12H9yyWM6AFo1Px968R1wFeYZA 
> uqozJYhojx8SQ4mUpnYLby+ABiJIK+Q4XyvL1JhQEATqwYs+co/wBAkz mVgJAQ==
> com.                    84506   IN      DNSKEY  256 3 8 
> AQPcnY9mVa8t+3ab9SsbKjGh38DXxdCZsL0sCdUEzyj1b3nN9BFLolfM 
> o7PyfRhOw29YvgwHq1wRB2nRWcOpuUZhgZNOxWqLoOu84KR7HtQmY1yZ 
> uSkh9WA6mUDQT+i/7zpUVbtmZqNJm5SuQZFE0hn+N5CMxnXOLOsHJsn6 WvB1sQ==
> 
> ;; Query time: 31 msec
> ;; SERVER: 114.114.114.114#53(114.114.114.114)
> ;; WHEN: Sun Mar 24 16:08:01 2013
> ;; MSG SIZE  rcvd: 458

114.114.114.114 is not even RFC 1035 compliant as it fails to set
TC=1 if can't add all the records to a RRset to the answer section.
The above answer has a partial RRset for DNSKEY/COM.

> The bufsize option is set in order to tell the resolver open edns0, but 
> it ignore it. By using OARC's DNS Reply Size Test 
> Server(https://www.dns-oarc.net/oarc/services/replysizetest),
>  it is found that the resolver is actually support ends0.  Maybe while it 
> support edns0, it does not tell this to clients?

That is the way it looks.

> root at localhost ~#  dig +short rs.dns-oarc.net txt @114.114.114.114
> rst.x3827.rs.dns-oarc.net.
> rst.x3837.x3827.rs.dns-oarc.net.
> rst.x3843.x3837.x3827.rs.dns-oarc.net.
> "Tested at 2013-03-24 22:59:55 UTC"
> "58.217.249.137 sent EDNS buffer size 4096"
> "58.217.249.137 DNS reply size limit is at least 3843"

 
> Not as the resolver, root  give a size that is not the right size it 
> support.  The edns0 size in the result is 512B while the message size is 
> 727B. That is to say, 512 is not right? 
> root at localhost ~# dig @a.root-servers.net com any  +dnssec +bufsize=4096 
> ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 <<>> @a.root-servers.net com 
> any +dnssec +bufsize=4096
> ; (2 servers found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65447
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 16
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 512
> ;; QUESTION SECTION:
> ;com.                           IN      ANY
> ;; AUTHORITY SECTION:
> com.                    172800  IN      NS      a.gtld-servers.net.
> com.                    172800  IN      NS      b.gtld-servers.net.
> com.                    172800  IN      NS      c.gtld-servers.net.
> .................
> com.                    86400   IN      DS      30909 8 2 
> E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
> com.                    86400   IN      RRSIG   DS 8 1 86400 
> 20130331000000 20130323230000 40323 . 
> N2LWYkOwbv/oecFw3cuE1K7wphnmWzMVVSvRYbgFYUlUxhbCbh1KogVt 
> a7uUieHPwXyf6QT56+Au3XfHrwTZzXiy1nHx2tdmAiH/IuAEbyOBPECf 
> 5dEeuKWpz6StQbn3OOxBaMauFShANT5gMsrqSvRDURvuOa8cdT7EaMhU ikQ=
> ;; ADDITIONAL SECTION:
> a.gtld-servers.net.     86400   IN      AAAA    2001:503:a83e::2:30
> a.gtld-servers.net.     86400   IN      A       192.5.6.30
> b.gtld-servers.net.     86400   IN      AAAA    2001:503:231d::2:30
> ...............
> ;; Query time: 43 msec
> ;; SERVER: 198.41.0.4#53(198.41.0.4)
> ;; WHEN: Sun Mar 24 16:20:17 2013
> ;; MSG SIZE  rcvd: 727

a.root-servers.net is a anycast server.  They do not want to get
fragmented requests so they are advertising a buffer size that
usually does not result in fragmentation of traffic to the server.
They still honour the clients advertised buffer size when sending
responses.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list