[dns-operations] ID of IPv4 fragments and DNS and the future RFC

Florian Weimer fw at deneb.enyo.de
Sun Jan 13 19:59:39 UTC 2013

* Stephane Bortzmeyer:

> The future RFC 6864, currently in AUTH48 state, talks about the
> unicity of the ID (datagram identifier) field for IPv4. Its section
> 5.2 is of interest to us: basically, it says that senders of
> "non-atomic packets" (a non-atomic packet is an IPv4 packet which is
> fragmented or will possibly be, since it has no DF bit: unlike a HTTP
> server, the traffic of a DNS server is typically mostly made of
> non-atomic packets) MUST rate-limit such packets to enforce the old
> (RFC 791) rule that ID must be unique for the duration of a packet in
> the network (typically two minutes, a number I've always find very
> high).

A typical initial TTL is 64, so the packet lives for at most 64
seconds.  (Originally, the TTL was measured in seconds, and decrement
by at least 1 at every hop.)

> Is there a practical consequence for us?

Strictly speaking, it forbids stateless authoritative servers because
counters for rate limiting have to be recorded somewhere.

> My first guess is No since the unicity is only per couple {src,
> dest} and there is no chance a DNS server will have to send more
> than 6.4 Mbps to a given destination (6.4 is the maximum throughput
> with a 1500 B MTU with the ID unicity limit).

1000 responses per second doesn't seem that much, though.

(Fortunately, IPv6 comes with a 32 bit fragment ID...)

More information about the dns-operations mailing list