Re: Broken PMTUD for . + TLD servers, was: Re: Smallest Transit MTU

From: Mark Andrews (no email)
Date: Mon Jan 10 2005 - 06:42:28 EST

Next message: Suresh Ramasubramanian: "Re: Broken PMTUD for . + TLD servers, was: Re: Smallest Transit MTU"

Previous message: Iljitsch van Beijnum: "Re: Broken PMTUD for . + TLD servers, was: Re: Smallest Transit MTU"
In reply to: Alexei Roudnev: "Re: Broken PMTUD for . + TLD servers, was: Re: Smallest Transit MTU"
Next in thread: Iljitsch van Beijnum: "Re: Broken PMTUD for . + TLD servers, was: Re: Smallest Transit MTU"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

> I receive DNS responses > 500 bytes every day (reported by PIX firewall). So
> it is an issue, no matter wgat is recomended in RFC.

        And you most probable have EDNS clients (nameservers) inside
        your firewall making EDNS queries which return EDNS responses
        that are bigger than 512 bytes. EDNS has been standards
        track for over 5 years now. The majority of the nameservers
        in the world talk EDNS between themselves and have been for
        several years now. Only a few queries caused the EDNS
        response to exceed 512 bytes.

        With the introduction of the AAAA records for A.GTLD-SERVERS.NET
        and B.GTLD-SERVERS.NET any EDNS referral from the root
        servers for COM/NET now exceeds 512 bytes (520 minimum).
        A plain DNS referral to COM/NET is 509 bytes so any referal
        for an name longer than xx.com is dropping glue records for
        the COM/NET servers.

The correct thing to do is to fix your firewall to handle the
EDNS responses.

Mark

RFC 2671: Extension Mechanisms for DNS (EDNS0)

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET:

Next message: Suresh Ramasubramanian: "Re: Broken PMTUD for . + TLD servers, was: Re: Smallest Transit MTU"

Previous message: Iljitsch van Beijnum: "Re: Broken PMTUD for . + TLD servers, was: Re: Smallest Transit MTU"
In reply to: Alexei Roudnev: "Re: Broken PMTUD for . + TLD servers, was: Re: Smallest Transit MTU"
Next in thread: Iljitsch van Beijnum: "Re: Broken PMTUD for . + TLD servers, was: Re: Smallest Transit MTU"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Invaluement Anti-Spam DNSBLs