Re: [Doh] special meta QTYPEs

Tony Finch <> Fri, 08 June 2018 13:38 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B93DA130EA7 for <>; Fri, 8 Jun 2018 06:38:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id aRlAbfVnWwBS for <>; Fri, 8 Jun 2018 06:38:34 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A39F5130EA6 for <>; Fri, 8 Jun 2018 06:38:34 -0700 (PDT)
X-Cam-AntiVirus: no malware found
Received: from ([]:39897) by ( []:25) with esmtps (TLSv1:ECDHE-RSA-AES256-SHA:256) id 1fRHb6-0005NI-gT (Exim 4.91) (return-path <>); Fri, 08 Jun 2018 14:38:32 +0100
Date: Fri, 8 Jun 2018 14:38:32 +0100
From: Tony Finch <>
To: Dave Lawrence <>
In-Reply-To: <>
Message-ID: <>
References: <> <>
User-Agent: Alpine 2.11 (DEB 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Archived-At: <>
Subject: Re: [Doh] special meta QTYPEs
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 08 Jun 2018 13:38:37 -0000

Dave Lawrence <>; wrote:
> Tony Finch writes:
> > I don't think it's possible to fit AXFR or IXFR into
> > DoH because their responses involve multiple DNS messages.
> Adding my comment about *XFR from a different thread to this thread
> too, for tracking.
> Strictly speaking, that's not fully accurate.  I have plenty of zones
> that fit in a single DNS/TCP message when sent over AXFR, and
> DNS/HTTPS would cover the rest quite easily if left in its current
> form.  Adding a restriction on message lengths would make this more
> complicated.

I was speaking in general terms, of course :-) An AXFR client has to be
prepared to handle multiple messages in a response, regardless of the size
of the zone, so a DoH proxy that tries to support AXFR cannot avoid
learning how to cope with multi-message answers from its upstream DNS
server. And it isn't always possible to de-fragment an AXFR response: e.g.
it will break any TSIG authentication.

And as Robert Edmonds pointed out, even if you lift the 64K byte message
size limit, there is still a limit of 64K records (the zone contents are
transferred using the answer section only), and I have plenty of zones
which are bigger than that :-)

f.anthony.n.finch  <>;
North Hebrides: Easterly 4 or 5. Moderate. Fair. Good occasionally moderate.