Dear Petr san, Thanks very much.
These limits are useful because they are already implemented and seem to be effective for stable operation of the resolver. By the way, it seems necessary to read the BIND 9 source code to understand the specific meaning of each upper limit value. nbound and other implementations may also have such upper limits. How do we add them to the draft ? > IMHO limit on number of RRs in an RRset is just a cheap hack to limit > impact of other things going out of hand, like sub-optimal data > structures etc. This particular value does cause operational issues > because there are legitimate domains with more than 100 RRs. I agree, but an RRSet with a large number of RRs cannot be carried over UDP transport and will eventually break down as they approach the 65535 octets limit. I think that apex TXT will become smaller once domain verification techniques are standardized and widespread. -- Kazunori Fujiwara, JPRS <[email protected]> > From: Petr Špaček <[email protected]> > Dear Fujiwara-san. > > I apologize for not paying attention sooner. For inspiration here' > couple more limits BIND enforces. > > - max-query-count - number of iterative queries while servicing a single > - recursive query. Default 200 packets. > > - max-recursion-queries - number of iterative queries while servicing a > - recursive query - while looking up a single name. CNAME restarts this > - counter. Default 50 packets. > > - max-recursion-depth - number of levels of recursion permitted at any > - one time while servicing a recursive query. Default 7. > > - resolver-query-timeout - total deadline before giving up a single > - recursive query - 10 seconds. > > - max-validations-per-fetch - number of DNSSEC validations that can > - happen in a single fetch/processing a single cache miss. Default 16. > > - max-validation-failures-per-fetch - number of DNSSEC validation > - failures that can happen in a single fetch/single cache miss. Default > - 1. > > IMHO limit on number of RRs in an RRset is just a cheap hack to limit > impact of other things going out of hand, like sub-optimal data > structures etc. This particular value does cause operational issues > because there are legitimate domains with more than 100 RRs. > -- > Petr Špaček > _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
