[dns-operations] PMTUD of .org servers
Paul Vixie
vixie at isc.org
Sat Jun 20 13:48:13 UTC 2009
> From: Florian Weimer <fw at deneb.enyo.de>
> Date: Sat, 20 Jun 2009 11:46:30 +0200
>
> * Paul Vixie:
>
> > seems more likely that they'll leave DF on by default. EDNS speakers
> > should probably open the ICMP socket and look for evidence of DF damage.
>
> On the client side, a raw IP socket (perhaps bound to the UDP protocol if
> the stack allows it) and looking for tail fragments (which are likely to
> get through because they don't exhaust the path MTU) could provide some
> data. It might be easier to run fragment assembly entirely in user space
> instead of matching this data to the UDP sockets you receive. 8-/
this approach would also help find head fragments whose following fragments
never arrive due to firewalls that don't understand ip fragmentation and who
therefore only pass UDP/53, do not remember IP ID, do not pass fragments in
an explicit rule, and do not associate fragments (which have no UDP header
and thus are not "UDP/53") with their first fragments. this is one of the
most common causes of EDNS0 timeouts.
it won't catch IDS boxes who just know that UDP/53 can't be larger than 512
and who therefore drop it on the floor even when there's no fragmentation at
all. (which is also a leading cause of EDNS0 problems.)
but i digress.
More information about the dns-operations
mailing list