RFC 2181, section 9, indicates that name servers should not set
the TC bit gratuitously; as long as the answer section is complete,
TC should not be set just because the authority and/or additional
sections won't also fit in the UDP packet.
Using BIND (9.4.3-P3 and 9.7.2-P3) as a resolver doesn't follow
this recommendation, however, when querying for the A records
of an internal domain consisting of 24 Active Directory domain
controllers:
;; Truncated, retrying in TCP mode.
; <<>> DiG 9.7.2-P3 <<>> americas.cpqcorp.net.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49806
;; flags: qr rd ra; QUERY: 1, ANSWER: 24, AUTHORITY: 13, ADDITIONAL: 6
...
;; MSG SIZE rcvd: 821
The TC bit is *not* set and only the 24-record answer section is
returned in the following circumstances:
1. Configuring the "minimal-responses yes" option
(returned message size is 422).
2. Adding a "+bufsize=512" option to the dig command
(returned message size is 433).
3. Querying the MS domain controller directly
(returned message size is 422).
Granted, the RFC states "should" instead of "must" and the set
TC bit did reveal a misconfigured firewall that otherwise would
have probably gone unnoticed. I'm just curious to know if this
is a feature or an oversight.
------
Andris
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
