Side-effects of edns-udp-size 512

Ray Van Dolson rvandolson at
Tue May 4 00:04:08 UTC 2010

On Mon, May 03, 2010 at 04:54:38PM -0700, Doug Barton wrote:
> On 05/03/10 16:46, Ray Van Dolson wrote:
> > On Mon, May 03, 2010 at 04:20:30PM -0700, Doug Barton wrote:
> >> On 05/03/10 09:34, Ray Van Dolson wrote:
> >>>
> >>> I believe having edns-udp-size set at 512 gives us maximum
> >>> compatibility with anything out there behind a broken firewall, etc,
> >>> though we should look at removing the limit at some point in the future
> >>> when possible.
> >>
> >> Doing this will simply perpetuate the problem, not solve it.
> >>
> > 
> > I do understand that.  However, it's not always a practical stance to
> > take... :)
> Define "practical." There is an ever-decreasing subset of networks that
> CAN do DNS over TCP properly, but CANNOT do "DNS w/UDP > 512." By
> changing edns-udp-size you cater to them, but you disadvantage the
> majority of networks that actually work.
> In all likelihood you would be better off investigating why you have
> such large RRs in the first place.
> Oh and BTW, if your responses are > 512 you will be signaling to the
> resolver that they need to retry via TCP. You have tested TCP access to
> your authoritative name servers, right?

My workflow is as follows:

    1. We notice slow DNS resolution to a given external domain (either
       via user complaint or other means)
    2. Troubleshoot and identify that the given domain's primary
       nameservers don't properly handle or respond at all to EDNS0
       enabled queries (probably a network issue).  In addition, this
       domain may have a fairly low TTL set which makes the problem a
       bit more visible to end users, especially if it's not queried
       regularly enough to stay in cache.
    3. We attempt to contact the domain contacts to get them to fix
       their configuration.
    4. If we don't get any response back after multiple tries, we'll
       typically diable EDNS for this particular domain.

So we do give best effort on trying to get the other side to resolve
their issues, but in the end, I have other things I need to work on and
I'm going to work around the problem to make my customers happy if I
have to.

I realize this doesn't specifically address setting the default edns
size to 512 bytes -- that I don't really have any problem doing as long
as we have the above workaround available to us for networks/domains
that don't cooperate.

By in large, you're right -- most everyone out there is set up
correctly and we don't have any issues.


More information about the bind-users mailing list