Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> My best guess is that DNS just makes the assumption that everything needs to fit in a single IP packet and it doesn't care if it is UDP or TCP.

It's not an assumption, it's a requirement. "Legacy" DNS has no provision for a response to exceed a single IP packet size. The assumption part is that this is adequate for a DNS response. Before DNSSEC, it was.

I believe DoH and friends don't have this restriction.

EDIT: too late to delete but this is wrong. see child comments.



> It's not an assumption, it's a requirement.

Where is this requirement? A DNS server responding over a TCP socket has no idea of the underlying IP datagram size. In a typical Ethernet, the TCP MSS will be 1460 bytes so the IP packets will all be under 1500 bytes. You certainly can get regular TCP DNS responses bigger than 1460 bytes. See elsewhere in this thread, "legacy" RFC1035 DNS over TCP has a 16-bit message prefix which limits the total DNS message to 64kiB. A valid maximum DNS TCP response can exceed (the almost entirely theoretical) max IP packet size by 22 bytes, FWIW.


An IP packet can be much larger than a single TCP segment. It can be up to 65536 bytes. IP doesn't have datagrams, it has packets. Well, technically it does have datagrams but what I'm getting at is that with fragmentation (let's say you have broken PMTUD) an IP packet can be split up.

That said, terminology confusion aside, you are still correct and I was wrong. The response can indeed be larger than a single IP packet. 65536 + IP overhead, split across as many IP packets as needed (doesn't have to be a single very large fragmented packet).

I will delete my response!


> Well, technically it does have datagrams but what I'm getting at is that with fragmentation (let's say you have broken PMTUD) an IP packet can be split up.

Of course, but in the happy usual case your network stack should be starting off with a TCP MSS <= MTU + overhead and the IP datagrams will not be fragmented.

I used the term "datagram" because to higher layers like TCP, it is formally specified this way. I'm not too concerned about pedantry (except to avoid confusion) but this is the literal RFC9293 text: "The application byte-stream is conveyed over the network via TCP segments, with each TCP segment sent as an Internet Protocol (IP) datagram. "


Thanks for the corrections. I think pedantry is a good thing when discussing protocols.

Even today, PMTUD doesn't always work (as expected) because of VPN shenanigans. But right, usually you don't see fragments.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: