Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Truncated DNS message over UDP
4,134 views
Skip to first unread message
Sebastiano Di Paola
Jun 27, 2012, 4:43:17 AM6/27/12
to bind-...@lists.isc.org
Hello everyone,
before sending this email I tried do some seaches on this topic, but
no luck so far...so before bothering bind-workers here's my question
I was wondering if a configuration option exists in order to force
bind server to send a "minimal (from size and number of returned
record point of view)" response in case the trucated bit is set in the
header.
Let me explain better...
1) Client asks for "www.mydomain.com" type ANY to my server (RD bit is set)
2) Server gets the response (does not matter if from cache or not) but
the answer is bigger than 512 bytes (or the server has udp-max-size
512 parameter in configuration)
3) Server send answer with TC bit = 1, but instead of giving partial
response header is like this QDCOUNT = 1, ANCOUNT = 0, NSCOUTN = 0,
ADDITIONAL=0 (if there is no EDSN0 in query) and just sent back the
question section.
4) Client (if needed) re-do the query using TCP (some clients does not
use records contained in packets with TC bit set in the header)
If I'm not wrong RFCs does not state that partial answer must be
returned to the client, so probably there is no issue in getting rid
of them (with a configuration option :) )
Is there any parameter that could let me achieve this result?
Kind regards.
Seba
before sending this email I tried do some seaches on this topic, but
no luck so far...so before bothering bind-workers here's my question
I was wondering if a configuration option exists in order to force
bind server to send a "minimal (from size and number of returned
record point of view)" response in case the trucated bit is set in the
header.
Let me explain better...
1) Client asks for "www.mydomain.com" type ANY to my server (RD bit is set)
2) Server gets the response (does not matter if from cache or not) but
the answer is bigger than 512 bytes (or the server has udp-max-size
512 parameter in configuration)
3) Server send answer with TC bit = 1, but instead of giving partial
response header is like this QDCOUNT = 1, ANCOUNT = 0, NSCOUTN = 0,
ADDITIONAL=0 (if there is no EDSN0 in query) and just sent back the
question section.
4) Client (if needed) re-do the query using TCP (some clients does not
use records contained in packets with TC bit set in the header)
If I'm not wrong RFCs does not state that partial answer must be
returned to the client, so probably there is no issue in getting rid
of them (with a configuration option :) )
Is there any parameter that could let me achieve this result?
Kind regards.
Seba
Marc Lampo
Jun 27, 2012, 8:10:06 AM6/27/12
to Sebastiano Di Paola, bind-...@lists.isc.org
Hello,
Several RFC's on DNS do state that name servers (not only Bind) should
avoid,
if possible, to send messages that would require the TC bit set in the
reply.
Replies can be stay shorter if some sections (authority/additional) are
not
included in the reply.
I know for sure that DNSSEC related RFC's explicitly state to leave
authority/additional section empty if filling them would lead to the
answer becoming too big and requiring the TC bit to be set.
--> it is not a configuration setting, it's RFC defined.
Kind regards,
Marc Lampo
Security Officer
EURid (for .eu)
Several RFC's on DNS do state that name servers (not only Bind) should
avoid,
if possible, to send messages that would require the TC bit set in the
reply.
Replies can be stay shorter if some sections (authority/additional) are
not
included in the reply.
I know for sure that DNSSEC related RFC's explicitly state to leave
authority/additional section empty if filling them would lead to the
answer becoming too big and requiring the TC bit to be set.
--> it is not a configuration setting, it's RFC defined.
Kind regards,
Marc Lampo
Security Officer
EURid (for .eu)
Sebastiano Di Paola
Jun 27, 2012, 9:14:53 AM6/27/12
to bind-...@lists.isc.org, Marc Lampo
Hi,
Mark you are right saing "When it's possible..."
But I want to address the the situation when the DNS server is made
to limit response on 512 Bytes (i.e. for bind server parameter
udp-max-size 512) and the answer is bigger. (Imagine I have a big TXT
record for example)
As bind up to version 9.9.1-P1 gives partial answer in this case
(filling the reply packet up to 512 Bytes and setting TC bit) is there
any configuration to obtain a response packet with omitted "answer"
and "authorities" and, unless additional record is specified by query
packet i.e. setting edsn0, "additional" parts ?
The behaviour I observed is not what you said is stated in DNSSEC (but
I'm not just talking about DNSSEC) related RFCs, even if I would like
it had been like that.
Regards,
Sebastiano
Mark you are right saing "When it's possible..."
But I want to address the the situation when the DNS server is made
to limit response on 512 Bytes (i.e. for bind server parameter
udp-max-size 512) and the answer is bigger. (Imagine I have a big TXT
record for example)
As bind up to version 9.9.1-P1 gives partial answer in this case
(filling the reply packet up to 512 Bytes and setting TC bit) is there
any configuration to obtain a response packet with omitted "answer"
and "authorities" and, unless additional record is specified by query
packet i.e. setting edsn0, "additional" parts ?
The behaviour I observed is not what you said is stated in DNSSEC (but
I'm not just talking about DNSSEC) related RFCs, even if I would like
it had been like that.
Regards,
Sebastiano
Jay Ford
Jun 27, 2012, 10:20:13 AM6/27/12
to Sebastiano Di Paola, bind-...@lists.isc.org
On Wed, 27 Jun 2012, Sebastiano Di Paola wrote:
> Hello everyone,
> before sending this email I tried do some seaches on this topic, but
> no luck so far...so before bothering bind-workers here's my question
>
> I was wondering if a configuration option exists in order to force
> bind server to send a "minimal (from size and number of returned
> record point of view)" response in case the trucated bit is set in the
> header.
See if "minimal-responses yes" does what you want.
> Hello everyone,
> before sending this email I tried do some seaches on this topic, but
> no luck so far...so before bothering bind-workers here's my question
>
> I was wondering if a configuration option exists in order to force
> bind server to send a "minimal (from size and number of returned
> record point of view)" response in case the trucated bit is set in the
> header.
If I'm recalling correctly, it applies to all responses, not just those which
would be truncated.
It can cause more subsequent queries, to get the information which would have
been in the first response, but they'll probably all be UDP which might be
better than fallback to TCP.
________________________________________________________________________
Jay Ford, Network Engineering Group, Information Technology Services
University of Iowa, Iowa City, IA 52242
email: jay-...@uiowa.edu, phone: 319-335-5555, fax: 319-335-2951
0 new messages