[dns-operations] PMTUD of .org servers

Mark Andrews marka at isc.org
Sat Jun 20 02:01:21 UTC 2009

In message <4A3BC6DB.4010503 at hp.com>, Rick Jones writes:
> > at which point EDNS will suffer badly, and TCP fallback will be used.  so
> > like i said, solaris just can't be a good EDNS server.  interesting.
> I'm guessing then that HP-UX 11i will be in the same boat.
> Since I'm more than willing to demonstrate my cluelessness :)  why is it 
> felt that the occasional drop from PMTU will cause such a degree of 
> suffering?  Doesn't it depend on the frequency of queries relative to 
> the PMTU entry timeouts? (ip_ire_pathmtu_interval in HP-UX ndd-speak).
> And is wiretapping the ICMP really going to help much in named 
> (udp_pass_up_icmp in HP-UX nddspeak)?  IIRC on those hosts where DF is 
> set on UDP, the arrival of the ICMP message is going to cause a PMTU 
> route to be created and there will be suitable IP fragmentation on the 
> next send(s) to that destination.  Unless named is going to keep a copy 
> of a reply on the off chance an ICMP is going to arrive it doesn't 
> really benefit from getting the ICMP message(s) does it?
> I suppose when named is sending a request there might be value, but is 
> that going to be worth the overheads?
> rick jones

If you have too many things causing packets to be dropped you can't
sensibly recover.  For EDNS/UDP you have

	Routing loops.
	PMTU discovery.
	Firewalls dropping fragmented responses.
	Firewalls dropping DNS packets > 512.
	Bad DNS proxies dropping UDP packets greater some arbitary limit.
	Bad DNS servers not responding to EDNS queries.

All of these are seen as "timeout" by the client.

PMTUD works great for DNS/TCP because it is the IP stack that recovers.
PMTUD is disasterous for DNS/UDP because it is the application that recovers.

There are some OS's which turn it on by default for both TCP and UDP.
Other OS's only turn it on for TCP by default.

Being able to remove PMTUD as a cause leaves one less thing to deal with.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list