Folks,
I think we need to get the DNS load-balancing stuff re-worked.
The large list of NS records for the zone, combined with the large
list of A records, is causing DNS packet truncation. For example:
% dig @ns1.us.bitnames.com. pool.ntp.org. a
; <<>> DiG 8.3 <<>> @ns1.us.bitnames.com. pool.ntp.org. a
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48946
;; flags: qr aa rd; QUERY: 1, ANSWER: 15, AUTHORITY: 9, ADDITIONAL: 3
;; QUERY SECTION:
;; pool.ntp.org, type = A, class = IN
;; ANSWER SECTION:
pool.ntp.org. 2M IN A 209.204.172.153
pool.ntp.org. 2M IN A 84.207.3.38
pool.ntp.org. 2M IN A 212.204.235.156
pool.ntp.org. 2M IN A 69.1.200.68
pool.ntp.org. 2M IN A 24.34.79.42
pool.ntp.org. 2M IN A 213.84.38.132
pool.ntp.org. 2M IN A 217.204.244.146
pool.ntp.org. 2M IN A 146.164.53.65
pool.ntp.org. 2M IN A 130.60.7.43
pool.ntp.org. 2M IN A 213.170.141.38
pool.ntp.org. 2M IN A 203.109.252.8
pool.ntp.org. 2M IN A 80.74.64.1
pool.ntp.org. 2M IN A 217.114.97.97
pool.ntp.org. 2M IN A 146.48.83.182
pool.ntp.org. 2M IN A 216.138.199.179
;; AUTHORITY SECTION:
pool.ntp.org. 1D IN NS aventura.bhms-groep.nl.
pool.ntp.org. 1D IN NS ns1.eu.bitnames.com.
pool.ntp.org. 1D IN NS ns1.mailworx.net.
pool.ntp.org. 1D IN NS ns1.us.bitnames.com.
pool.ntp.org. 1D IN NS ns3.us.bitnames.com.
pool.ntp.org. 1D IN NS slartibartfast.bhms-groep.nl.
pool.ntp.org. 1D IN NS superzooi.bhms-groep.nl.
pool.ntp.org. 1D IN NS usenet.net.nz.
pool.ntp.org. 1D IN NS zbasel.fortytwo.ch.
;; ADDITIONAL SECTION:
ns1.eu.bitnames.com. 12H IN A 84.243.240.3
ns1.us.bitnames.com. 3H IN A 63.251.223.170
ns3.us.bitnames.com. 6H IN A 67.19.103.171
;; Total query time: 171 msec
;; FROM: ntp2.isc.org to SERVER: 63.251.223.170
;; WHEN: Thu Jul 28 13:44:47 2005
;; MSG SIZE sent: 30 rcvd: 568
Doing an "any" query, the result is even bigger:
% dig @ns1.us.bitnames.com. pool.ntp.org. any
; <<>> DiG 8.3 <<>> @ns1.us.bitnames.com. pool.ntp.org. any
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14870
;; flags: qr aa rd; QUERY: 1, ANSWER: 25, AUTHORITY: 0, ADDITIONAL: 3
;; QUERY SECTION:
;; pool.ntp.org, type = ANY, class = IN
;; ANSWER SECTION:
pool.ntp.org. 42m40s IN SOA ns1.us.bitnames.com. pool.ntp.org. (
1122557776 ; serial
15M ; refresh
15M ; retry
1W ; expiry
5M ) ; minimum
pool.ntp.org. 2M IN A 217.204.244.146
pool.ntp.org. 2M IN A 216.138.199.179
pool.ntp.org. 2M IN A 69.1.200.68
pool.ntp.org. 2M IN A 213.84.38.132
pool.ntp.org. 2M IN A 146.164.53.65
pool.ntp.org. 2M IN A 84.207.3.38
pool.ntp.org. 2M IN A 213.170.141.38
pool.ntp.org. 2M IN A 217.114.97.97
pool.ntp.org. 1D IN NS ns1.us.bitnames.com.
pool.ntp.org. 1D IN NS ns3.us.bitnames.com.
pool.ntp.org. 1D IN NS ns1.eu.bitnames.com.
pool.ntp.org. 1D IN NS zbasel.fortytwo.ch.
pool.ntp.org. 1D IN NS aventura.bhms-groep.nl.
pool.ntp.org. 1D IN NS slartibartfast.bhms-groep.nl.
pool.ntp.org. 1D IN NS superzooi.bhms-groep.nl.
pool.ntp.org. 1D IN NS usenet.net.nz.
pool.ntp.org. 1D IN NS ns1.mailworx.net.
pool.ntp.org. 2M IN A 130.60.7.43
pool.ntp.org. 2M IN A 146.48.83.182
pool.ntp.org. 2M IN A 212.204.235.156
pool.ntp.org. 2M IN A 24.34.79.42
pool.ntp.org. 2M IN A 80.74.64.1
pool.ntp.org. 2M IN A 203.109.252.8
pool.ntp.org. 2M IN A 209.204.172.153
;; ADDITIONAL SECTION:
ns1.eu.bitnames.com. 12H IN A 84.243.240.3
ns1.us.bitnames.com. 3H IN A 63.251.223.170
ns3.us.bitnames.com. 6H IN A 67.19.103.171
;; Total query time: 456 msec
;; FROM: ntp2.isc.org to SERVER: 63.251.223.170
;; WHEN: Thu Jul 28 13:42:50 2005
;; MSG SIZE sent: 30 rcvd: 604
Even just doing an SOA query results in a pretty large response:
% dig @ns1.us.bitnames.com. pool.ntp.org. soa
; <<>> DiG 8.3 <<>> @ns1.us.bitnames.com. pool.ntp.org. soa
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20234
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 9, ADDITIONAL: 3
;; QUERY SECTION:
;; pool.ntp.org, type = SOA, class = IN
;; ANSWER SECTION:
pool.ntp.org. 42m40s IN SOA ns1.us.bitnames.com. pool.ntp.org. (
1122557776 ; serial
15M ; refresh
15M ; retry
1W ; expiry
5M ) ; minimum
;; AUTHORITY SECTION:
pool.ntp.org. 1D IN NS aventura.bhms-groep.nl.
pool.ntp.org. 1D IN NS ns1.eu.bitnames.com.
pool.ntp.org. 1D IN NS ns1.mailworx.net.
pool.ntp.org. 1D IN NS ns1.us.bitnames.com.
pool.ntp.org. 1D IN NS ns3.us.bitnames.com.
pool.ntp.org. 1D IN NS slartibartfast.bhms-groep.nl.
pool.ntp.org. 1D IN NS superzooi.bhms-groep.nl.
pool.ntp.org. 1D IN NS usenet.net.nz.
pool.ntp.org. 1D IN NS zbasel.fortytwo.ch.
;; ADDITIONAL SECTION:
ns1.eu.bitnames.com. 12H IN A 84.243.240.3
ns1.us.bitnames.com. 3H IN A 63.251.223.170
ns3.us.bitnames.com. 6H IN A 67.19.103.171
;; Total query time: 229 msec
;; FROM: ntp2.isc.org to SERVER: 63.251.223.170
;; WHEN: Thu Jul 28 13:44:17 2005
;; MSG SIZE sent: 30 rcvd: 364
Do these queries out of cache, and you'll return additional
records for all the other nameservers, too. A cached SOA query for
this domain nearly exceeds the 512-byte limit all by itself:
% dig pool.ntp.org. soa
; <<>> DiG 8.3 <<>> pool.ntp.org. soa
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6224
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 9, ADDITIONAL: 9
;; QUERY SECTION:
;; pool.ntp.org, type = SOA, class = IN
;; ANSWER SECTION:
pool.ntp.org. 26m47s IN SOA ns1.us.bitnames.com. pool.ntp.org. (
1122556816 ; serial
15M ; refresh
15M ; retry
1W ; expiry
5M ) ; minimum
;; AUTHORITY SECTION:
pool.ntp.org. 23h44m7s IN NS slartibartfast.bhms-groep.nl.
pool.ntp.org. 23h44m7s IN NS ns1.eu.bitnames.com.
pool.ntp.org. 23h44m7s IN NS ns1.us.bitnames.com.
pool.ntp.org. 23h44m7s IN NS ns1.mailworx.net.
pool.ntp.org. 23h44m7s IN NS ns3.us.bitnames.com.
pool.ntp.org. 23h44m7s IN NS usenet.net.nz.
pool.ntp.org. 23h44m7s IN NS zbasel.fortytwo.ch.
pool.ntp.org. 23h44m7s IN NS aventura.bhms-groep.nl.
pool.ntp.org. 23h44m7s IN NS superzooi.bhms-groep.nl.
;; ADDITIONAL SECTION:
ns1.eu.bitnames.com. 1d23h46m11s IN A 84.243.240.3
ns1.us.bitnames.com. 1d23h46m11s IN A 63.251.223.170
ns1.mailworx.net. 1d23h46m11s IN A 69.1.200.68
ns3.us.bitnames.com. 1d23h46m11s IN A 67.19.103.171
usenet.net.nz. 1h16m11s IN A 202.49.59.6
zbasel.fortytwo.ch. 23h44m5s IN A 193.138.215.60
aventura.bhms-groep.nl. 3h44m5s IN A 217.114.97.98
superzooi.bhms-groep.nl. 3h46m11s IN A 207.226.17.241
slartibartfast.bhms-groep.nl. 3h44m5s IN A 217.114.97.97
;; Total query time: 4 msec
;; FROM: ntp2.isc.org to SERVER: 127.0.0.1
;; WHEN: Thu Jul 28 13:46:43 2005
;; MSG SIZE sent: 30 rcvd: 460
There are still a lot of people who have screwed-up firewall
configurations on their SOHO routers, which block TCP port 53. And
some who use resolvers that don't support TCP port 53. We really
need to get these answers reduced in size. Maybe cut out like half
the nameservers listed. And maybe cut in half the number of IP
addresses returned.
We just had a guy on #ntp who was unable to configure his server
to talk to pool.ntp.org machines, because he couldn't get DNS
resolution for that domain. He was using Gentoo, but I didn't get
any info from him as to what SOHO router he was using -- probably
something reasonably common.
I know we're in transition right now, but we also need to keep
our eye on things like this. Ideally, we should never cause DNS
packet truncation, not even from cached data for an "any" query,
which might include MX and SOA records in addition to the expected NS
and A records.
--
Brad Knowles, <[EMAIL PROTECTED]>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
SAGE member since 1995. See <http://www.sage.org/> for more info.
_______________________________________________
timekeepers mailing list
[email protected]
https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
