On Thu, Dec 16, 2004 at 07:59:58PM -0500, Steven M. Bellovin wrote:
In message <41C222C3.9020906@globalstar.com>, Crist Clark writes:
Iljitsch van Beijnum wrote:
Due to limitations in the DNS protocol, it's not possible to increase the number of authoritative DNS servers for a zone beyond around 13.
I believe you misspelled, "Due to people who do not understand the DNS protocol being allowed to configure firewalls..."
No, firewalls have nothing to do with it. Section 4.2.1 of RFC 1035 says:
Messages carried by UDP are restricted to 512 bytes (not counting the IP or UDP headers).
There's a large installed base of machines that conform to that limit and don't understand EDNS0. I'll leave the packet layout and arithmetic as an exercise for the reader (cheaters may want to run tcpdump on 'dig ns .' and examine the result), but the net result is what Iljitsch said: you can only fit about 13 servers into a response.
Just because I feel like splitting hairs.... You're both right. As far as we (ISC) can tell, there are lots of resolvers that authoritative servers can't send big packets to because they don't grok EDNS0. There are also lots of resolvers that grok EDNS0 behind firewalls that don't. Big fun can occur when the resolver indicates EDNS0-compliance from behind such a firewall and keeps asking because it thinks it's not getting answers....For extra credit, try to deploy DNSSEC in this reality. It's not for nothing that we speak of extending the DNS protocol as "rebuilding the airplane in flight" around here....