[dns-operations] DNS Issue

Florian Weimer fw at deneb.enyo.de
Wed May 1 14:40:28 UTC 2013

* Joe Abley:

> The assumption is that "firewall" means "device that keeps
> state". This could be a firewall, or a NAT, or an in-line DPI
> device, or something similar. We're not talking about stateless
> packet filters.

I think you still can't serve UDP over IPv6 without per-client sate,
keeping both full RFC conformance and interoperability with the
existing client population.  Pre-fragmentation to 1280 or so bytes
isn't enough, you also have to generate atomic fragments.  But the
latter cannot be processed by some clients, so you cannot send out
atomic fragments unconditionally (even if there were a socket option
to do that).

Many large servers do not even pre-fragment to 1280 bytes, so they
rely on path MTU information in the destination cache for
communication with clients on sub-1500-MTU links.  I wonder when this
statefullness of IPv6 UDP traffic will cause practical problems,
probably as soon as the traffic levels exceeds what can be comfortably
kept in the server cache.

Enough ranting today.  I suspect this issue will only get addressed
when enough operators experience it first-hand, like the EDNS0
fallback issue.

More information about the dns-operations mailing list