RRSet size limitation lower than predicted by RDLENGTH field size

Tom Byrnes tomb at threatstop.com
Tue Apr 22 22:16:54 UTC 2008


Here are the results of my calculations:
Message Header: 12 Bytes

First RR: 
Name, which, worst case is a FQDN Name label, which, since all our lookups
have max fields of 16 characters, with two fields before threatstop.local is
never more than 51 Bytes
10 Bytes of invariant fields
4 bytes of RDATA
= 65 Bytes

Subsequent RRs
2 byte pointer to name in first rr
10 bytes invariant
4 bytes RDATA
= 16 Bytes

So, worst case number of A RRs in a single message payload is:

INT(((65535-12-65)/16))+1 = 4092


If my maths are faulty, please correct me.

As far as it not being a good idea to operate at the limit, this meme is oft
repeated here and elsewhere, but, for a private DNS, I don't see what the
big deal is.

To quote one of the members of my BOD, Paul Mockapetris "It works in
practice, if not in theory."

In the public DNS, I'm sure there are many nameservers and networks that
squawk @ anything other than a standard UDP response, but my target isn't
public.

Considering that we need to transmit very long lists, and the Vixie RBL
method, even with zone transfers and local cache, is problematic for wire
speed packet filtering, breaking the lists up into lots of small UDP packets
actually creates more problems than using TCP to its limit.

BTW: There are plenty of users using our basic lists in .com, without
complaint.

-----Original Message-----
From: Chris Thompson [mailto:cet1 at hermes.cam.ac.uk] 
Sent: Monday, April 21, 2008 4:49 AM
To: Tom Byrnes
Cc: bind-users at isc.org
Subject: RE: RRSet size limitation lower than predicted by RDLENGTH field
size

On Apr 20 2008, Tom Byrnes wrote:

>I've done some more digging and I have figured at least one reason
>why the responses would be in the 4K range: the TCP message length 
>part before the DNS message header.
>
>That specifies the length of the TCP message excluding it's 2 bytes,
>which limits the entire message to 65535 bytes. 
>
>With a message header of 12 bytes, and 14 bytes for each RR, the 
>total number of A records that can be returned in 65535 bytes is 
>around 4600.

While counting 14 bytes per RR you are still forgetting the owner
name that appears in every RR. Even with maximal compression ("this
name is exactly the same as this other name already in the packet"
... and of course that will be true for almost all of your mammoth
RRset) that's an extra 2 bytes. Hence the 4096 (less a few).

Of course, it's really not a good idea to operate anywhere near
these limits.

-- 
Chris Thompson
Email: cet1 at cam.ac.uk


No virus found in this incoming message.
Checked by AVG. 
Version: 7.5.524 / Virus Database: 269.23.2/1389 - Release Date: 4/21/2008
8:34 AM
 




More information about the bind-users mailing list