truncated responses vs. minimal-responses?
marka at isc.org
Wed Dec 5 13:13:05 UTC 2012
In message <20121205125024.GC11764 at fantomas.sk>, Matus UHLAR - fantomas writes:
> >> On 28.11.12 18:38, Tony Finch wrote:
> >>> Yes it does. For example, have a look at responses to queries for
> >>> dotat.at
> >>> in mx for various buffer sizes and observe that RRsets are dropped but
> >>> the
> >>> TC bit is not set.
> >On 11/30/2012 01:30 PM, Matus UHLAR - fantomas wrote:
> >> Nice to see. I'm seeing recommendations to set minimal-responses to avoid
> >> truncation problem anywhere and I'd like to have documented somewhere that
> >> it just won't help...
> On 03.12.12 09:41, Gilles Massen wrote:
> >Truncation happens only if the ANSWER section is too large, and as
> >minimal-responses only affects AUTHORITY and ADDITIONAL the effect on
> >truncation should be null.
> I'm curious if there's any case where the AUTHORITY section is needed to
> proper function of DNS. I think I've seen reports about truncaetd responses
> with AUTHORITY section added ... maybe intermediate firewall or
> loadbalancer truncating them...
Yes. Referrals. Additionally the additional section records are
not optional in a referral. Records added at step 6 of Section
4.3.2. of RFC 1034 are optional. Records added to the additional
section at other steps are not optional. There have been demonstated
cases of referrals failing due to not adding glue records in a
Named will produce responses with TC=1 as a result of not being
able to add records to the additional section. Every referral from
the root servers to COM or NET using plain DNS should result in
TC=1 being set.
> >For UPD fragmentation it is an entirely different matter, of course. But
> >should default settings really be optimized to accomodate broken firewalls?
> default or non-default, if weare behind firewall or loadbalancer, we should
> know when they cause troubles.
> Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Enter any 12-digit prime number to continue.
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
> bind-users mailing list
> bind-users at lists.isc.org
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users