Anycast 101
Crist Clark
crist.clark at globalstar.com
Fri Dec 17 01:18:12 UTC 2004
Steven M. Bellovin wrote:
> In message <41C222C3.9020906 at globalstar.com>, Crist Clark writes:
>
>>Iljitsch van Beijnum wrote:
>>
>>
>>>Due to limitations in the DNS protocol, it's not possible
>>>to increase the number of authoritative DNS servers for a zone beyond
>>>around 13.
>>
>>I believe you misspelled, "Due to people who do not understand the DNS
>>protocol being allowed to configure firewalls..."
>
>
> No, firewalls have nothing to do with it. Section 4.2.1 of RFC 1035
> says:
>
> Messages carried by UDP are restricted to 512 bytes (not counting the IP
> or UDP headers).
>
> There's a large installed base of machines that conform to that limit
> and don't understand EDNS0. I'll leave the packet layout and
> arithmetic as an exercise for the reader (cheaters may want to run
> tcpdump on 'dig ns .' and examine the result), but the net result is
> what Iljitsch said: you can only fit about 13 servers into a response.
Into a UDP response. A resolver will recieve the first 512 bytes of the
truncated response and may then use TCP to get the complete response...
unless there is a firewall blocking 53/tcp in the way. But how often
does that happpen?
The root servers sustaining the ensuing SYN flood is another issue.
--
Crist J. Clark crist.clark at globalstar.com
Globalstar Communications (408) 933-4387
More information about the NANOG
mailing list