RE: DNS UDP packets > 512 bytes (was: (no subject))

["Reckhard, Tobias" <tobias.reckhard () secunet com>]

> Not true, although it's a common misconception.  There is a
> DNS enhancement (EDNS0) that (if implemented on both an authoritative
> server and a resolver or recursive server) allows UDP responses
> larger than 512 bytes.  If the two ends of a DNS transaction
> think that EDNS0 is in use but an intervening network device
> drops the large packets, then DNS resolution will break.
>
> This means that a firewall that drops UDP packets > 512 bytes
> is *not* "perfectly compliant".  Hopefully the firewall implementors
> are starting to be aware of this...

Yes, EDNS0 exists, but AFAIK it's not an Internet Standard (feel free to
prove me wrong, I'll happily accept being corrected). It's in the standards
track, but it's not to be found at http://www.rfc-editor.org/rfcxx00.html
with data as of Feb 19, 2003. Therefore, firewalls that don't support can
indeed claim to be "perfectly compliant with the Official Internet Protocol
Standards", at least as far as this issue goes.

However, since there appears to be an installed base of software that
supports it, perhaps firewall developers should indeed extend their
DNS-handling code appropriately.

Cheers,
Tobias
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards