[dns-operations] PMTUD of .org servers

Paul Vixie vixie at isc.org
Sat Jun 20 13:48:13 UTC 2009

> From: Florian Weimer <fw at deneb.enyo.de>
> Date: Sat, 20 Jun 2009 11:46:30 +0200
> * Paul Vixie:
> > seems more likely that they'll leave DF on by default.  EDNS speakers
> > should probably open the ICMP socket and look for evidence of DF damage.
> On the client side, a raw IP socket (perhaps bound to the UDP protocol if
> the stack allows it) and looking for tail fragments (which are likely to
> get through because they don't exhaust the path MTU) could provide some
> data.  It might be easier to run fragment assembly entirely in user space
> instead of matching this data to the UDP sockets you receive. 8-/

this approach would also help find head fragments whose following fragments
never arrive due to firewalls that don't understand ip fragmentation and who
therefore only pass UDP/53, do not remember IP ID, do not pass fragments in
an explicit rule, and do not associate fragments (which have no UDP header
and thus are not "UDP/53") with their first fragments.  this is one of the
most common causes of EDNS0 timeouts.

it won't catch IDS boxes who just know that UDP/53 can't be larger than 512
and who therefore drop it on the floor even when there's no fragmentation at
all.  (which is also a leading cause of EDNS0 problems.)

but i digress.

More information about the dns-operations mailing list