packet too big

Jim Reid jim at rfc1035.com
Fri Jul 9 15:36:57 UTC 2004


>>>>> "Michael" == Michael Varre <bind9 at kishmish.com> writes:

    Michael> Yes, they are being blocked because they are larger than
    Michael> 512 bytes - I just don't understand why they are that
    Michael> large.  Seems there should be a better explanation than
    Michael> just allowing larger packets through via a fixup.

There is nothing in the DNS protocol that limits answers to 512 bytes.
The string in a TXT record for instance can be up to 64 Kbytes. So it
can't be assumed any answer from the DNS will be less than 512 bytes.
That said, most DNS replies are < 512 bytes to avoid truncated
reponses and retried queries over TCP. However this cannot be assumed
or guaranteed. You have no way of controlling what data other people
put in their zones and therefore how much data their name servers have
to send in a query response. There's even a DNS protocol extension,
EDNS0, which allows for bigger UDP payloads. This will be a Big Win
for things like DNSSEC, ENUM & IPv6 which can make DNS responses much
bigger than they have been in the past.

If you have a firewall that's blocking DNS payloads of more than 512
bytes (ie EDNS0 packets or DNS traffic over TCP), it's broken. It's
that simple.


More information about the bind-users mailing list