Truncated DNS message over UDP

Sebastiano Di Paola sebastiano.dipaola at gmail.com
Wed Jun 27 13:14:53 UTC 2012


Hi,
Mark you are right saing  "When it's possible..."

But I want to address the  the situation when the DNS server is made
to limit response on 512 Bytes (i.e. for bind server parameter
udp-max-size 512) and the answer is bigger. (Imagine I have a big TXT
record for example)

As bind up to version 9.9.1-P1 gives partial answer in this case
(filling the reply packet up to 512 Bytes and setting TC bit) is there
any configuration to obtain a response packet with omitted "answer"
and "authorities" and, unless additional record is specified by query
packet i.e. setting edsn0,  "additional" parts ?

The behaviour I observed is not what you said is stated in DNSSEC (but
I'm not just talking about DNSSEC) related RFCs, even if I would like
it had been like that.
Regards,
Sebastiano




On Wed, Jun 27, 2012 at 2:10 PM, Marc Lampo <marc.lampo at eurid.eu> wrote:
> Hello,
>
> Several RFC's on DNS do state that name servers (not only Bind) should
> avoid,
> if possible, to send messages that would require the TC bit set in the
> reply.
> Replies can be stay shorter if some sections (authority/additional) are
> not
> included in the reply.
> I know for sure that DNSSEC related RFC's explicitly state to leave
> authority/additional section empty if filling them would lead to the
> answer becoming too big and requiring the TC bit to be set.
> --> it is not a configuration setting, it's RFC defined.



>
>
> Kind regards,
>
> Marc Lampo
> Security Officer
> EURid (for .eu)
>
>
> -----Original Message-----
> From: Sebastiano Di Paola [mailto:sebastiano.dipaola at gmail.com]
> Sent: 27 June 2012 10:43 AM
> To: bind-users at lists.isc.org
> Subject: Truncated DNS message over UDP
>
> Hello everyone,
> before sending this email I tried do some seaches on this topic, but no
> luck so far...so before bothering bind-workers here's my question
>
> I was wondering if a configuration option exists in order to force bind
> server to send a "minimal (from size and number of returned record point
> of view)" response in case the trucated bit is set in the header.
>
> Let me explain better...
> 1) Client asks for "www.mydomain.com" type ANY to my server (RD bit is
> set)
> 2) Server gets the response (does not matter if from cache or not) but the
> answer is bigger than 512 bytes (or the server has  udp-max-size
> 512 parameter in configuration)
> 3) Server send answer with TC bit = 1, but instead of giving partial
> response header is like this QDCOUNT = 1, ANCOUNT = 0, NSCOUTN = 0,
> ADDITIONAL=0 (if there is no EDSN0 in query) and just sent back the
> question section.
> 4) Client (if needed) re-do the query using TCP (some clients does not use
> records contained in packets with TC bit set in the header)
>
> If I'm not wrong RFCs does not state that partial answer must be returned
> to the client, so probably there is no issue in getting rid of them (with
> a configuration option :) )
>
> Is there any parameter that could let me achieve this result?
> Kind regards.
> Seba
>



More information about the bind-users mailing list