Re: CARP+Pfsync+Bind

Thu, 06 Oct 2005 16:57:24 -0700 

** Reply to message from ed <[EMAIL PROTECTED]> on Thu, 6 Oct 2005
22:15:25 +0100

>On Thu, 6 Oct 2005 15:49:02 -0400
>"Dave Anderson" <[EMAIL PROTECTED]> wrote:
>
>> That's not quite the whole story: 53/tcp is also used when the
>> response to a query is too big for a single UDP packet (the resolver
>> sends a UDP query and gets a 'truncated' UDP reply, so the resolver
>> retries the query using TCP) -- you should always pass both UDP and
>> TCP for port 53 to avoid occasional obscure failures.
>
>Works fine on on the 20000 domains where it's been implemented, of which
>I handled the conversion from BIND style to djbdns. No problems on UDP
>lookups alone, including some deep CNAMEs, which are just not required,
>but I'll deal with those at a later date.
>
>I haven't seen any problems since the change. Lookup times have
>improved, I can't state if this is due to the lack of TCP or the file
>system overheads with zone files, but I expect a mixture of the two.

According to RFC 1035 section 4.2.1 you're riding for a fall:

    Messages carried by UDP are restricted to 512 bytes (not 
    counting the IP or UDP headers).  Longer messages are 
    truncated and the TC bit is set in the header.

RFC 2671 modifies this by specifying a method for using UDP packets
containing more than 512 bytes, but the maximum size is still limited.

RFC 2181 section 9 is quite clear:

    The TC bit should be set in responses only when an RRSet 
    is required as a part of the response, but could not be 
    included in its entirety.  The TC bit should not be set 
    merely because some extra information could have been 
    included, but there was insufficient room.  This includes 
    the results of additional section processing.  In such 
    cases the entire RRSet that will not fit in the response 
    should be omitted, and the reply sent as is, with the TC 
    bit clear.  If the recipient of the reply needs the 
    omitted data, it can construct a query for that data and 
    send that separately.

    Where TC is set, the partial RRSet that would not 
    completely fit may be left in the response.  When a DNS 
    client receives a reply with TC set, it should ignore 
    that response, and query again, using a mechanism, such 
    as a TCP connection, that will permit larger replies.

Responses long enough so that required information is truncated should
be rare, so perhaps you've been lucky and not encountered any yet.

        Dave

-- 
Dave Anderson
<[EMAIL PROTECTED]>

Reply via email to