On 14. 07. 25 11:14, Kazunori Fujiwara wrote:
- current proposed upper limits
+==============================================+=============+
| Name | upper limit |
+==============================================+=============+
| number of RRs in an RRSet | 100 |
+----------------------------------------------+-------------+
| number of NS RRs in a delegation | 13 |
+----------------------------------------------+-------------+
| number of glue RRs in a delegation | 26 |
+----------------------------------------------+-------------+
| number of DS RRs in a delegation | 8 |
+----------------------------------------------+-------------+
| number of DNSKEY RRs in an RRSet | 8 |
+----------------------------------------------+-------------+
| number of RRSIG RRs for each name and type | 8 |
+----------------------------------------------+-------------+
| number of CNAME/DNAME chains | 9 |
+----------------------------------------------+-------------+
| number of levels of gluelessness delegations | 3 |
+----------------------------------------------+-------------+
Dear Fujiwara-san.
I apologize for not paying attention sooner. For inspiration here'
couple more limits BIND enforces.
- max-query-count - number of iterative queries while servicing a single
recursive query. Default 200 packets.
- max-recursion-queries - number of iterative queries while servicing a
recursive query - while looking up a single name. CNAME restarts this
counter. Default 50 packets.
- max-recursion-depth - number of levels of recursion permitted at any
one time while servicing a recursive query. Default 7.
- resolver-query-timeout - total deadline before giving up a single
recursive query - 10 seconds.
- max-validations-per-fetch - number of DNSSEC validations that can
happen in a single fetch/processing a single cache miss. Default 16.
- max-validation-failures-per-fetch - number of DNSSEC validation
failures that can happen in a single fetch/single cache miss. Default 1.
IMHO limit on number of RRs in an RRset is just a cheap hack to limit
impact of other things going out of hand, like sub-optimal data
structures etc. This particular value does cause operational issues
because there are legitimate domains with more than 100 RRs.
--
Petr Špaček
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
