[conspire] DNS? UDP limited to 512 bytes, or ??? ... got EDNS? ...
Michael Paoli
Michael.Paoli at cal.berkeley.edu
Mon Mar 7 06:10:19 PST 2016
> Date: Wed, 2 Mar 2016 13:11:13 -0800
> From: Rick Moen <rick at linuxmafia.com>
> To: conspire at linuxmafia.com
> Subject: [conspire] What happens when 75% of your domain's nameservers
> refuse to do TCP
> Most DNS traffic moves across the Internet as UDP-type datagrams
> (because it is faster and less complex), _but_ some queries must instead
> be transacted using TCP-type datagrams because of UDP limitations.
> Specifically, if the size of the query ends up exceeding 512 bytes, or
> the answer size exceeds 512 bytes, TCP _must_ be used. _Therefore_, it
> is absolutely necessary that DNS nameservers be able and willing to
> respond using TCP-type answers.
Yes, the above still *mostly* holds and it *is* still required for
properly functioning DNS. There are, however, a few things that change
that a bit ... or more properly and precisely - *extend* it.
UDP limited to only a maximum of 512 bytes in a packet? DNS can't do
more than that 512 byte limit in a UDP packet? That's not necessarily
always the case ... but it depends upon the particular client and
server involved - and also the transport between them. So one can't
generally expect or rely upon any and all clients and/or servers
supporting such extensions. Huh? Yes.
EDNS https://en.wikipedia.org/wiki/Extension_mechanisms_for_DNS
RFC2671 https://tools.ietf.org/html/rfc2671
etc. So, ... relatively widely deployed / in use, but by no means are
such extensions universally present. Yup, ... I was scratching my head
for a bit at first when I was looking at details of DNS traffic and
started seeing EDNS and other bits show up there that I wasn't
expecting and wasn't yet aware of what they were. Well, wee bit 'o
research later, and ... ah, so *that*'s what that newfangled stuff is.
:-) Yes, DNS - quite well designed, and designed in a manner that
leaves it quite extensible - highly useful, as much has been added to
DNS compared to its much simpler beginning. E.g., got LOC records, SPF
records? How about IPv6 & AAAA records? How about NOTIFY? DNSSEC?
Etc., etc. - DNS tends to continue to get very usefully extended, and
in highly backwards-compatible ways - so the old stuff continues
working as it always has, but the newer stuff manages to layer itself
quite nicely atop that.
More information about the conspire
mailing list