Compression / Pointers on returned queries

Kevin Darcy kcd at chrysler.com
Thu Jun 5 03:48:22 UTC 2008


Mark Andrews wrote:
>> Brian Feeny wrote:
>>     
>>>   
>>>       
>>>> -----Original Message-----
>>>> From: Mark_Andrews at isc.org [mailto:Mark_Andrews at isc.org]
>>>> Sent: Wednesday, June 04, 2008 9:57 PM
>>>> To: Brian Feeny
>>>> Cc: bind-users at isc.org
>>>> Subject: Re: Compression / Pointers on returned queries
>>>>
>>>>
>>>> 	Why do you care?  As long as you get the answer in a single
>>>> 	packet it makes little to no difference.  Also why are you
>>>> 	asking recurive queries?  If you want to test authoritative
>>>> 	servers then you should be making non-recursive queries.
>>>> 	The server should also be configured not to accept recursive
>>>> 	queries from anywhere.
>>>>     
>>>>         
>>> Because a response of >512 bytes causes pain because of firewalls/etc that
>>> may drop the packets by default.
>>>   
>>>       
>> How old are these devices? RFC 2671 was published in August of 1999.
>>     
>
> 	RFC 1034 was published in 1987.  These boxes aren't even
> 	RFC 1034 compliant.
>  
>   
>> Note that you can configure named use 512 as its EDNS0 buffer size, to 
>> get around middlebox obsolescence/brokenness. See "edns-udp-size" in the 
>> ARM documentation.
>>
>> - Kevin
>>     
>
> 	Which only works if the server talks EDNS which it doesn't.
>   
I thought there were some versions of dig which silently advertised a 2K 
buffer size, but either I was mistaken, or it's irrelevant in this case 
anyway. This nameserver implementation/instance is indeed returning an 
illegal response packet (verified with a packet trace), and any attempt 
to use EDNS just results in a FORMERR response. Disgusting.

Mostly, though, I was responding to the comment "a response of >512 
bytes causes pain because of firewalls/etc", which also shouldn't be an 
issue if the middleboxes are reasonably modern and EDNS-aware. That 
point is rather academic, however, when the responding server flagrantly 
violates even older, more established standards...

Of course, the Akamai stuff _also_ technically violates standards by 
allowing chained CNAMEs. I've known about that one for quite some time, 
and raised that as an issue with them, but this latest 
standards-violation is a new one on me.

                                                                         
                                 - Kevin



More information about the bind-users mailing list