subject:"Is there a need for clients to advertize the capabilities for DNS Responses over TCP"

Re: Is there a need for clients to advertize the capabilities for DNS Responses over TCP

2017-09-15 Thread Warren Kumari

On Fri, Sep 15, 2017 at 3:37 AM, Harshith Mulky
 wrote:
> Hello Experts,
>
>
> I had a query on advertising the payload size on client in DNS Responses
> over UDP/TCP
>
>
> This is as much I have understood from RFC 6891, that a requester(client)
> can address his capabilities to restrict the UDP Payload size to a limit
> between 512 to 4096 bytes based on his limitation when supporting EDNS
> Procedures.
>
>
> Is it the same case with TCP?
>
>
> Can we(client) advertize our capabilities over TCP to limit the payload size
> in Responses?

What is it that you are actually trying to accomplish / why?
I'm going to assume that this is to deal with some sort of brokenness
and not just idle curiosity[0].

If you are actually experiencing issues with DNS over TCP it is most
likely that you have some sort of broken path MTU discovery issue, and
have a lower than expected MTU (this is likely also affecting other
applications), but it could also be some broken middle box -- for
example Cisco PIX has some, er, interesting DNS TCP artifacts:
"Customers with NAT configured on a Cisco IOS device may experience
issues receiving large DNS query response messages when TCP is used as
the transport. Cisco IOS NAT does not have support for reassembling
TCP segments. The lack of support for TCP segment reaasembly is a
well-known issue that is documented under the question "Q. What is the
difference between IP fragmentation and TCP segmentation?" at the
following link:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_q_and_a_item09186a00800e523b.shtml.
"

Anyway, without knowing more it is tricky to know what your actual
issue is, but a: fixing pMTUd by making sure ICMP is allowed would
likely be helpful, or b: decreasing the MTU / MSS to your actual MTU
may help.

W
[0]: Which is also fine, but I needed to start somewhere.

>
>
> Thanks
>
> Harshith
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is there a need for clients to advertize the capabilities for DNS Responses over TCP

2017-09-15 Thread Reindl Harald



Am 15.09.2017 um 09:37 schrieb Harshith Mulky:

Hello Experts,

I had a query on advertising the payload size on client in DNS Responses 
over UDP/TCP



This is as much I have understood from RFC 6891, that a 
requester(client) can address his capabilities to restrict the UDP 
Payload size to a limit between 512 to 4096 bytes based on his 
limitation when supporting EDNS Procedures.


Is it the same case with TCP?

Can we(client) advertize our capabilities over TCP to limit the payload 
size in Responses?


why would you want do do that?

TCP don't suffer from the problem of a faked sourcip and the repsonse 
going back to the attacke victim! what do you imagine to happen when 
your response data is larger? in case of UDP the fallback is simply TCP 
and then you want to cripple that fallback?

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Is there a need for clients to advertize the capabilities for DNS Responses over TCP

2017-09-15 Thread Harshith Mulky

Hello Experts,


I had a query on advertising the payload size on client in DNS Responses over 
UDP/TCP


This is as much I have understood from RFC 6891, that a requester(client) can 
address his capabilities to restrict the UDP Payload size to a limit between 
512 to 4096 bytes based on his limitation when supporting EDNS Procedures.


Is it the same case with TCP?


Can we(client) advertize our capabilities over TCP to limit the payload size in 
Responses?


Thanks

Harshith

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is there a need for clients to advertize the capabilities for DNS Responses over TCP

Re: Is there a need for clients to advertize the capabilities for DNS Responses over TCP

Is there a need for clients to advertize the capabilities for DNS Responses over TCP

3 matches

Site Navigation

Mail list logo

Footer information