Anycast 101
Alon Tirosh
j0keralpha at gmail.com
Fri Dec 17 02:01:53 UTC 2004
To add, there are also a lot of edge appliances (Company C appliances
that start with P) that block 53/tcp >= 512B by default without admins
realizing, hence EDNS gets actively blocked while normal DNS traffic
works (this is a major issue for Enterprise Windows Admins.)
On Fri, 17 Dec 2004 01:54:43 +0000, Suzanne Woolf <Suzanne_Woolf at isc.org> wrote:
>
> On Thu, Dec 16, 2004 at 07:59:58PM -0500, Steven M. Bellovin wrote:
> > In message <41C222C3.9020906 at globalstar.com>, Crist Clark writes:
> > >
> > >Iljitsch van Beijnum wrote:
> > >
> > >> Due to limitations in the DNS protocol, it's not possible
> > >> to increase the number of authoritative DNS servers for a zone beyond
> > >> around 13.
> > >
> > >I believe you misspelled, "Due to people who do not understand the DNS
> > >protocol being allowed to configure firewalls..."
> >
> > No, firewalls have nothing to do with it. Section 4.2.1 of RFC 1035
> > says:
> >
> > Messages carried by UDP are restricted to 512 bytes (not counting the IP
> > or UDP headers).
> >
> > There's a large installed base of machines that conform to that limit
> > and don't understand EDNS0. I'll leave the packet layout and
> > arithmetic as an exercise for the reader (cheaters may want to run
> > tcpdump on 'dig ns .' and examine the result), but the net result is
> > what Iljitsch said: you can only fit about 13 servers into a response.
>
> Just because I feel like splitting hairs....
>
> You're both right. As far as we (ISC) can tell, there are lots of
> resolvers that authoritative servers can't send big packets to because
> they don't grok EDNS0. There are also lots of resolvers that grok
> EDNS0 behind firewalls that don't. Big fun can occur when the resolver
> indicates EDNS0-compliance from behind such a firewall and keeps
> asking because it thinks it's not getting answers....For extra credit,
> try to deploy DNSSEC in this reality.
>
> It's not for nothing that we speak of extending the DNS protocol as
> "rebuilding the airplane in flight" around here....
>
More information about the NANOG
mailing list