Merit Network
 Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives
North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Anycast 101

  • From: Crist Clark
  • Date: Thu Dec 16 20:20:05 2004 
Steven M. Bellovin wrote:


In message <41C222C3.9020906@globalstar.com>, Crist Clark writes:


Iljitsch van Beijnum wrote:
Due to limitations in the DNS protocol, it's not possible to increase the number of authoritative DNS servers for a zone beyond around 13.
I believe you misspelled, "Due to people who do not understand the DNS
protocol being allowed to configure firewalls..."

No, firewalls have nothing to do with it. Section 4.2.1 of RFC 1035 says:

Messages carried by UDP are restricted to 512 bytes (not counting the IP
or UDP headers).

There's a large installed base of machines that conform to that limit and don't understand EDNS0. I'll leave the packet layout and arithmetic as an exercise for the reader (cheaters may want to run tcpdump on 'dig ns .' and examine the result), but the net result is what Iljitsch said: you can only fit about 13 servers into a response.
Into a UDP response. A resolver will recieve the first 512 bytes of the
truncated response and may then use TCP to get the complete response...
unless there is a firewall blocking 53/tcp in the way. But how often
does that happpen?

The root servers sustaining the ensuing SYN flood is another issue.
--
Crist J. Clark                               crist.clark@globalstar.com
Globalstar Communications                                (408) 933-4387


Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.