RE: packet too big

> -----Original Message-----
> From: bind-users-bounce@isc.org [mailto:bind-users-bounce@isc.org] On
> Behalf Of Jim Reid
> Sent: Friday, July 09, 2004 11:37 AM
> To: Michael Varre
> Cc: bind-users@isc.org
> Subject: Re: packet too big
>
> >>>>> "Michael" == Michael Varre <bind9@kishmish.com> writes:
>
> Michael> Yes, they are being blocked because they are larger than
> Michael> 512 bytes - I just don't understand why they are that
> Michael> large. Seems there should be a better explanation than
> Michael> just allowing larger packets through via a fixup.
>
> There is nothing in the DNS protocol that limits answers to 512 bytes.
> The string in a TXT record for instance can be up to 64 Kbytes. So it
> can't be assumed any answer from the DNS will be less than 512 bytes.
> That said, most DNS replies are < 512 bytes to avoid truncated
> reponses and retried queries over TCP. However this cannot be assumed
> or guaranteed. You have no way of controlling what data other people
> put in their zones and therefore how much data their name servers have
> to send in a query response. There's even a DNS protocol extension,
> EDNS0, which allows for bigger UDP payloads. This will be a Big Win
> for things like DNSSEC, ENUM & IPv6 which can make DNS responses much
> bigger than they have been in the past.
>
> If you have a firewall that's blocking DNS payloads of more than 512
> bytes (ie EDNS0 packets or DNS traffic over TCP), it's broken. It's
> that simple.


Ok, so plain and simple my pix should not be blocking dns packets larger
than 512bytes - it is an error on the pix's end.

I didn't want to do that unless it were the _correct_ fix - thanks for your
help everyone - hopefully the day will get better now :)

mv