Reject zones where a RRset is too big to be returned in a DNS message

Currently named/named-checkzone does not reject RRsets that are too big to be returned in a DNS message. While such RRsets could be loaded in a zone they result in truncated RRsets being returned over TCP/DoT/DoH and cannot be verified if they are signed.

Examples of this have been see are usually been misunderstandings to requirements or failure to understand DNS message limits.

e.g. a reverse PTR name should have an address record that match, being treated as every address record should have a PTR that matches. The former results in a single PTR record. The latter is unlimited and will exceed the DNS message size. Using a single name for every PTR record in a reverse address range rather than constructing per address names when pre-populating reverse address ranges. Only ~4000 A records can fit in a maximum sized DNS message (reverse for a /20 won't fit), AAAA has a smaller limit of ~2300 (/116 or /117).

Edited May 24, 2024 by Mark Andrews

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information