0

I want to setup a domain with two different DNS providers - Route53 and Azure. When testing the domain with ZoneMaster I get the following warning: The smallest possible legal referral packet is larger than 512 octets (it is 536) Here is the link to the test: https://zonemaster.net/test/44c3627a5ec7e269

Is this important? If so, how should I fix that?

Thanks

Community
  • 1
Or Yagel
  • 5
  • 1

1 Answers1

1

It is due to the fact that you have 8 nameservers which do not compress themselves very well because they are in different domains and have both A and AAAA records (which is very good in fact) so the packet is larger than 512 bytes.

While it should not be a problem anymore today, you may hit old hardware/software that will have trouble with DNS packets larger than 512 bytes. You can have a look at this other question which gives useful answers too: Why DNS through UDP has a 512 bytes limit?

If you can, try to update your domain to use one or two less nameservers.

Patrick Mevzek
  • 9,273
  • 7
  • 29
  • 42
  • Thanks. I asked Azure support, they are saying that the client usually tries with UDP first, then it might fail to TCP because of the 512 bytes limit. Is that something I can count on? Doesn't it make the request much slower? – Or Yagel Nov 30 '17 at 14:04
  • This is not the main issue I think, the time difference will be negligible (since you do not do DNS just for the sake of it you do later HTTP or SMTP or other protocols, that will take more time than the DNS query) and you have caches. But you may have some old appliances/firewalls/etc that just drop packets longer than 512 bytes. It is an error, but it happens. Otherwise automatic retrying on TCP if UDP fails is indeed part of the protocol. However you got only a warning meaning that it is not a major problem nor your fault really, you can go ahead as is. – Patrick Mevzek Nov 30 '17 at 14:07