[dns-operations] ID of IPv4 fragments and DNS and the future RFC

Stephane Bortzmeyer bortzmeyer at nic.fr
Sun Jan 13 16:19:27 UTC 2013


The future RFC 6864, currently in AUTH48 state, talks about the
unicity of the ID (datagram identifier) field for IPv4. Its section
5.2 is of interest to us: basically, it says that senders of
"non-atomic packets" (a non-atomic packet is an IPv4 packet which is
fragmented or will possibly be, since it has no DF bit: unlike a HTTP
server, the traffic of a DNS server is typically mostly made of
non-atomic packets) MUST rate-limit such packets to enforce the old
(RFC 791) rule that ID must be unique for the duration of a packet in
the network (typically two minutes, a number I've always find very
high).

Is there a practical consequence for us? My first guess is No since
the unicity is only per couple {src, dest} and there is no chance a
DNS server will have to send more than 6.4 Mbps to a given destination
(6.4 is the maximum throughput with a 1500 B MTU with the ID unicity
limit).

Of course, during attacks, the throughput can be much higher but, when
there is an attack, we have a bigger problem than ID duplication.

So, my first reaction is "let's do nothing". Do we agree?



More information about the dns-operations mailing list