EDNS packet sizes

Paul Vixie Paul_Vixie at isc.org
Tue Jun 17 17:10:13 UTC 2008

Howard Wilkinson <howard at cohtech.com> writes:

> I am coding up some software that will attempt to use EDNS queries 
> against the name servers it is interrogating. I was wondering if the 
> strategy of setting the maximum packet size to 65k would promote any 
> failures in the target name servers or the pathways to them that a 
> smaller packet size may not?

it shouldn't.  responders are expected to use the lesser of two limits,
one limit being the size of the requestor's buffer, and the other being
the size of the responder's own buffer.

> I know some servers will fail to respond to EDNS and am coping with that 
> already, but I am trying to work out whether I need to do packet size 
> discovery in my code or can I leave this to the name servers MTU 
> discovery process in all cases.

that question is unrelated to the above.  you may have a path MTU problem
and if you want to avoid it you'll have to discover the path MTU by setting
DF on your requests and looking for ICMP-MustFrag responses.  in either
case you have to be more tolerant of timeouts, some timeouts just mean the
EDNS wasn't understood by a DPI ("dippy") firewall which threw it silently
away.  if you get a timeout while using EDNS, with or without DF set, you
ought to retry without EDNS.

> I understand that firewalls in the pathway may also cause problems, but 
> again will the servers cope or do I need to try something like a binary 
> chop discovery mechanism.

the servers won't be the problem.
Paul Vixie

More information about the bind-users mailing list