On Jan 13, 2010, at 2:41 PM, Olafur Gudmundsson wrote: > At 16:16 13/01/2010, Jim Reid wrote: >> On 13 Jan 2010, at 20:49, Alex Bligh wrote: >> >>> Current operational practice would result in DO clear packets >>> fitting within 4096 bytes, so no need for TCP when DO is clear. >> >> I don't think that's always the case Alex. See the lengthy discussion >> in this list about datagram fragmentation and broken middleware boxes >> that don't grok EDNS0. [Or do EDNS0 with a 512 byte buffer size. >> Sigh.] Mind you, some of those boxes will also barf on TCP DNS traffic. > > EDNS0 RFC restricts EDNS0 to 4096 bytes, number of implementations > will not send more even if client ask for it. Firewalls will > enforce this.
We should have some additional numbers for this with the new run (we just released an updated version of Netalyzr, http://netalyzr.icsi.berkeley.edu ) Among the new tests is a detailed check for actual DNS MTU rather than advertised DNS MTU. Basically, you can't RELY on UDP packets over 1500B being received by DNS resolvers when requested, but it works a large amount of the time. So basically, I'd have the model of "Try at EDNS4000, fallback to EDNS1280, fallback to TCP", and cache whether the resolver needs to do this for all authorities (because its side is fragment-broken) or just particular remote authorities. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
