TCP truncated?

peter at icke-reklam.manet.dot..nu peter at icke-reklam.manet.dot..nu
Mon Mar 27 15:40:10 UTC 2000 

Barry Margolin <barmar at bbnplanet.com> wrote:
> In article <20000327141111.G77375 at lucifer.bart.nl>,
> Jeroen Ruigrok van der Werven  <asmodai at bart.nl> wrote:
>>Can someone with more in-depth knowledge of the BIND source code please
>>tell me what this means?
>>
>>Mar 27 14:04:54 hel named[78358]: ns_resp: TCP truncated:
>>"2.236.239.194.in-addr.arpa" IN PTR from [194.239.236.2].53

> It means that your server tried a UDP query and got a truncated response,
> so then it switched to TCP and *still* the response was truncated.

This address seems to be part of a larger problem. Looking at
194.239.236.3 gives :
;; ANSWERS:
3.236.239.194.in-addr.arpa.     86400   PTR     www.dfdstransport.se.
3.236.239.194.in-addr.arpa.     86400   PTR     www.dfdstransport.dk.
3.236.239.194.in-addr.arpa.     86400   PTR     www.dfdstransport.com.
3.236.239.194.in-addr.arpa.     86400   PTR     www.dfdstransport.be.
3.236.239.194.in-addr.arpa.     86400   PTR     www.dfdstransport.co.uk.
3.236.239.194.in-addr.arpa.     86400   PTR     www.dfdstransport.nl.
3.236.239.194.in-addr.arpa.     86400   PTR     www.dfdstransport.fi.
3.236.239.194.in-addr.arpa.     86400   PTR     www.dfdstransport.pl.
3.236.239.194.in-addr.arpa.     86400   PTR     www.dfdstransport.de.
3.236.239.194.in-addr.arpa.     86400   PTR     www.dfdstransport.ie.
3.236.239.194.in-addr.arpa.     86400   PTR     www.asap-scandia.fr.
3.236.239.194.in-addr.arpa.     86400   PTR     booking.dfdstransport.com.
3.236.239.194.in-addr.arpa.     86400   PTR     www.dfdsdantransport.dk.
3.236.239.194.in-addr.arpa.     86400   PTR     www.dfdstransport.ee.
3.236.239.194.in-addr.arpa.     86400   PTR     www.dfdsdantransport.com.
3.236.239.194.in-addr.arpa.     86400   PTR     liner.dfdstransport.com.
3.236.239.194.in-addr.arpa.     86400   PTR     pod.dfdstransport.com.
3.236.239.194.in-addr.arpa.     86400   PTR     www.dfdsdan.com.
3.236.239.194.in-addr.arpa.     86400   PTR     www.dfdsdan.dk.
3.236.239.194.in-addr.arpa.     86400   PTR     mail.dfds.it.
3.236.239.194.in-addr.arpa.     86400   PTR     mail.dfdstransport.it.

Which does not make sense to me! Normally ONE PTR records should
show up.

Is this a win2000-dhcp thing that keeps adding PTR records to
a nameserver ?

>>It seemingly only started today.
Shure. Other addresses in the same net seems to be infected too!
>>
>>I am curious why they are using a TCP session for the NS stuff.

> Because that IP address has too many PTR records to fit in a 500-byte UDP
> response.  When a response doesn't fit in a small UDP packet, you're
> supposed to switch to TCP.  That's part of the protocol spec.

> -- 
> Barry Margolin, barmar at bbnplanet.com
> GTE Internetworking, Powered by BBN, Burlington, MA
> *** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
> Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.




-- 
--
Peter Håkanson         
        Manet Networking      (At the Riverside of Gothenburg, home of Volvo)
           Sorry about my e-mail address, but i'm trying to keep spam out.
echo "peter (at) manet (dot) nu" | sed "s/(at)/@/g " | sed "s/(dot)/\./g"|sed "s/ //g"

More information about the bind-users mailing list