[AusNOG] "stateless TCP" for DNS

Mattia Rossi mrossi at swin.edu.au
Mon Nov 15 17:43:26 EST 2010 

On 15/11/2010 16:00, Mark Andrews wrote:
[..]
> * However, most most DNS servers are configured to allow only a maximum
> UDP packet size of 512 Bytes.
>
> [ Most DNS servers are configured honour UDP sizes in EDNS requests.
> Even then those that reduce the size usually do it to the level of
> preventing IP fragmentation.  Almost no servers reduce it to 512
> bytes as there are very few firewalls that block outgoing large
> replies. ]

Do you have any data or can you point us to any link which we could use 
to verify your statement? Our assumption is based on the following 
research: 
http://labs.ripe.net/Members/dfk/content-measuring-dns-transfer-sizes-first-results

>
> * Using IPv6 and DNSSEC, the DNS response will always exceed 512 Bytes.
>
> [ Which is demonstrably wrong.
>
> ;<<>>  DiG 9.6.0-APPLE-P2<<>>  +dnssec br @a.root-servers.net
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32934
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 9
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;br.				IN	A
>
> ;; AUTHORITY SECTION:
> br.			172800	IN	NS	d.dns.br.
> br.			172800	IN	NS	c.dns.br.
> br.			172800	IN	NS	e.dns.br.
> br.			172800	IN	NS	f.dns.br.
> br.			172800	IN	NS	a.dns.br.
> br.			172800	IN	NS	b.dns.br.
> br.			86400	IN	DS	41674 5 1 EAA0978F38879DB70A53F9FF1ACF21D046A98B5C
> br.			86400	IN	RRSIG	DS 8 1 86400 20101122000000 20101114230000 40288 . CpOUaSB9+S8lJftPqsXv1btpINwTvQYXSfh8pBdf0UPhyQdOo0kkrHBN s/dnxPGMxxsAFzKeviHkFsqE4OaQdQuRoA7SI5ErZBTyAwf0HSld8ttJ 4d4IEfSUnL0VIBCGEIcyMbD4yphtzH0Ja7MtuAeKz4OynyTSiWVsivwP Yvw=
>
> ;; ADDITIONAL SECTION:
> a.dns.br.		172800	IN	A	200.160.0.10
> a.dns.br.		172800	IN	AAAA	2001:12ff::10
> b.dns.br.		172800	IN	A	200.189.40.10
> c.dns.br.		172800	IN	A	200.192.232.10
> d.dns.br.		172800	IN	A	200.219.154.10
> e.dns.br.		172800	IN	A	200.229.248.10
> e.dns.br.		172800	IN	AAAA	2001:12f8:1::10
> f.dns.br.		172800	IN	A	200.219.159.10
>
> ;; Query time: 163 msec
> ;; SERVER: 198.41.0.4#53(198.41.0.4)
> ;; WHEN: Mon Nov 15 15:48:59 2010
> ;; MSG SIZE  rcvd: 478
> ]

My mistake - as the most common TLD's do in fact always exceed the 
limit. I'll definitely fix that.

>
> * Firewalls and NAT boxes are known to drop DNS UDP packets which
> are larger than 512 Bytes.
>
> [ Which depends on the firewall configuration (newer defaults allow 4096
> byte UDP response by default when talking EDNS) and whether you are talking
> to the NAT (broken proxies often without TCP support) or through the NAT
> (usually no issues).

Well, yes. New NAT/firewall boxes might not have the problem, but old 
ones might. We don't know how many there are, how much will break etc.
>
> Also if firewalls block responses bigger than 512 bytes was a issue it
> would have turned up years ago as the non DNSSEC EDNS referral to the
> COM and NET servers has been bigger the 512 bytes for a long time now.
>
> ;<<>>  DiG 9.6.0-APPLE-P2<<>>  example.com +edns=0 @a.root-servers.net
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44601
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 16
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;example.com.			IN	A
>
> ;; AUTHORITY SECTION:
> com.			172800	IN	NS	h.gtld-servers.net.
> com.			172800	IN	NS	a.gtld-servers.net.
> com.			172800	IN	NS	e.gtld-servers.net.
> com.			172800	IN	NS	k.gtld-servers.net.
> com.			172800	IN	NS	j.gtld-servers.net.
> com.			172800	IN	NS	d.gtld-servers.net.
> com.			172800	IN	NS	g.gtld-servers.net.
> com.			172800	IN	NS	l.gtld-servers.net.
> com.			172800	IN	NS	c.gtld-servers.net.
> com.			172800	IN	NS	b.gtld-servers.net.
> com.			172800	IN	NS	m.gtld-servers.net.
> com.			172800	IN	NS	f.gtld-servers.net.
> com.			172800	IN	NS	i.gtld-servers.net.
>
> ;; ADDITIONAL SECTION:
> a.gtld-servers.net.	172800	IN	A	192.5.6.30
> a.gtld-servers.net.	172800	IN	AAAA	2001:503:a83e::2:30
> b.gtld-servers.net.	172800	IN	A	192.33.14.30
> b.gtld-servers.net.	172800	IN	AAAA	2001:503:231d::2:30
> c.gtld-servers.net.	172800	IN	A	192.26.92.30
> d.gtld-servers.net.	172800	IN	A	192.31.80.30
> e.gtld-servers.net.	172800	IN	A	192.12.94.30
> f.gtld-servers.net.	172800	IN	A	192.35.51.30
> g.gtld-servers.net.	172800	IN	A	192.42.93.30
> h.gtld-servers.net.	172800	IN	A	192.54.112.30
> i.gtld-servers.net.	172800	IN	A	192.43.172.30
> j.gtld-servers.net.	172800	IN	A	192.48.79.30
> k.gtld-servers.net.	172800	IN	A	192.52.178.30
> l.gtld-servers.net.	172800	IN	A	192.41.162.30
> m.gtld-servers.net.	172800	IN	A	192.55.83.30
>
> ;; Query time: 161 msec
> ;; SERVER: 198.41.0.4#53(198.41.0.4)
> ;; WHEN: Mon Nov 15 15:57:22 2010
> ;; MSG SIZE  rcvd: 528
>
> ]
>

Cool. This is in fact news to us.

We certainly don't know exactly what's going on in the DNS system, as 
we're not ueber-DNS experts.
That's why we asked for feedback, thanks.

Cheers
Mat

More information about the AusNOG mailing list