<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div> Because it isn't all about udp size. Sending a OPT signals that the client supports EDNS. Also if you want DNSSEC you send the do with EDNS. </div><div id="AppleMailSignature"><br>-- <div>Mark Andrews</div></div><div><br>On 17 Sep 2017, at 16:10, Harshith Mulky <<a href="mailto:harshith.mulky@outlook.com">harshith.mulky@outlook.com</a>> wrote:<br><br></div><blockquote type="cite"><div>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<p><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 13.3333px;">Am 15.09.2017 um 09:37 schrieb Harshith Mulky:</span><br style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 13.3333px;">
<span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 13.3333px;">> Hello Experts,</span><br style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 13.3333px;">
<span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 13.3333px;">> </span><br style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 13.3333px;">
<span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 13.3333px;">> I had a query on advertising the payload size on client in DNS Responses </span><br style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 13.3333px;">
<span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 13.3333px;">> over UDP/TCP</span><br style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 13.3333px;">
<span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 13.3333px;">> </span><br style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 13.3333px;">
<span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 13.3333px;">> </span><br style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 13.3333px;">
<span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 13.3333px;">> This is as much I have understood from RFC 6891, that a </span><br style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 13.3333px;">
<span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 13.3333px;">> requester(client) can address his capabilities to restrict the UDP </span><br style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 13.3333px;">
<span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 13.3333px;">> Payload size to a limit between 512 to 4096 bytes based on his </span><br style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 13.3333px;">
<span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 13.3333px;">> limitation when supporting EDNS Procedures.</span><br style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 13.3333px;">
<span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 13.3333px;">> </span><br style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 13.3333px;">
<span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 13.3333px;">> Is it the same case with TCP?</span><br style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 13.3333px;">
<span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 13.3333px;">> </span><br style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 13.3333px;">
<span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 13.3333px;">> Can we(client) advertize our capabilities over TCP to limit the payload </span><br style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 13.3333px;">
<span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 13.3333px;">> size in Responses?</span><br style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 13.3333px;">
<br style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 13.3333px;">
<span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 13.3333px;">why would you want do do that?</span><br style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 13.3333px;">
<br style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 13.3333px;">
<span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 13.3333px;">TCP don't suffer from the problem of a faked sourcip and the repsonse </span><br style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 13.3333px;">
<span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 13.3333px;">going back to the attacke victim! what do you imagine to happen when </span><br style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 13.3333px;">
<span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 13.3333px;">your response data is larger? in case of UDP the fallback is simply TCP </span><br style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 13.3333px;">
<span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 13.3333px;">and then you want to cripple that fallback?</span><br>
</p>
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<br>
</div>
[Harshith] But I do not understand why would OPT section required in a TCP Query. As i see from my Traces, Even TCP Queries carry a OPT section with the advertized sizes the client supports! Why would this be necessary? I do not want to cripple the fallback,
but if a query is intending to do so from a resolver, how Do we stop that?</div>
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<br>
</div>
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
Thanks<br>
<br>
<div style="color: rgb(0, 0, 0);">
<div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="x_divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> bind-users <<a href="mailto:bind-users-bounces@lists.isc.org">bind-users-bounces@lists.isc.org</a>> on behalf of <a href="mailto:bind-users-request@lists.isc.org">bind-users-request@lists.isc.org</a> <<a href="mailto:bind-users-request@lists.isc.org">bind-users-request@lists.isc.org</a>><br>
<b>Sent:</b> Friday, September 15, 2017 5:30 PM<br>
<b>To:</b> <a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
<b>Subject:</b> bind-users Digest, Vol 2734, Issue 2</font>
<div> </div>
</div>
</div>
<font size="2"><span style="font-size:10pt;">
<div class="PlainText">Send bind-users mailing list submissions to<br>
<a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" id="LPlnk207820">
https://lists.isc.org/mailman/listinfo/bind-users</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:bind-users-request@lists.isc.org">bind-users-request@lists.isc.org</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:bind-users-owner@lists.isc.org">bind-users-owner@lists.isc.org</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of bind-users digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. Re: What is wrong with my second $ORIGIN (Harshith Mulky)<br>
2. Re: Is there a need for clients to advertize the capabilities<br>
for DNS Responses over TCP (Reindl Harald)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Fri, 15 Sep 2017 01:16:08 -0700 (MST)<br>
From: Harshith Mulky <<a href="mailto:harshith.mulky@outlook.com">harshith.mulky@outlook.com</a>><br>
To: <a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
Subject: Re: What is wrong with my second $ORIGIN<br>
Message-ID: <<a href="mailto:1505463368415-0.post@n4.nabble.com">1505463368415-0.post@n4.nabble.com</a>><br>
Content-Type: text/plain; charset=us-ascii<br>
<br>
Than you All.<br>
<br>
Did not notice I had missed a trailing '.' <br>
<br>
Will make sure I do not miss these things the next time I test<br>
<br>
<br>
<br>
--<br>
Sent from: <a href="http://bind-users-forum.2342410.n4.nabble.com/">http://bind-users-forum.2342410.n4.nabble.com/</a><br>
<br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Fri, 15 Sep 2017 12:30:23 +0200<br>
From: Reindl Harald <<a href="mailto:h.reindl@thelounge.net">h.reindl@thelounge.net</a>><br>
To: <a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
Subject: Re: Is there a need for clients to advertize the capabilities<br>
for DNS Responses over TCP<br>
Message-ID: <<a href="mailto:ac3458f0-305d-fc4f-868b-bd5ffed1f41b@thelounge.net">ac3458f0-305d-fc4f-868b-bd5ffed1f41b@thelounge.net</a>><br>
Content-Type: text/plain; charset=windows-1252; format=flowed<br>
<br>
<br>
Am 15.09.2017 um 09:37 schrieb Harshith Mulky:<br>
> Hello Experts,<br>
> <br>
> I had a query on advertising the payload size on client in DNS Responses <br>
> over UDP/TCP<br>
> <br>
> <br>
> This is as much I have understood from RFC 6891, that a <br>
> requester(client) can address his capabilities to restrict the UDP <br>
> Payload size to a limit between 512 to 4096 bytes based on his <br>
> limitation when supporting EDNS Procedures.<br>
> <br>
> Is it the same case with TCP?<br>
> <br>
> Can we(client) advertize our capabilities over TCP to limit the payload <br>
> size in Responses?<br>
<br>
why would you want do do that?<br>
<br>
TCP don't suffer from the problem of a faked sourcip and the repsonse <br>
going back to the attacke victim! what do you imagine to happen when <br>
your response data is larger? in case of UDP the fallback is simply TCP <br>
and then you want to cripple that fallback?<br>
<br>
<br>
------------------------------<br>
<br>
Subject: Digest Footer<br>
<br>
_______________________________________________<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
<br>
------------------------------<br>
<br>
End of bind-users Digest, Vol 2734, Issue 2<br>
*******************************************<br>
</div>
</span></font></div>
</div>
</div>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list</span><br><span></span><br><span>bind-users mailing list</span><br><span><a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a></span><br><span><a href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a></span></div></blockquote></body></html>