[dns-operations] DNS Issue

[Mark Andrews]

In message <alpine.LSU.2.00.1305011825160.19357 at hermes-2.csi.cam.ac.uk>, Tony F
inch writes:
> Florian Weimer <fw at deneb.enyo.de> wrote:
> >
> > I think you still can't serve UDP over IPv6 without per-client sate,
> > keeping both full RFC conformance and interoperability with the
> > existing client population.  Pre-fragmentation to 1280 or so bytes
> > isn't enough, you also have to generate atomic fragments.
> 
> Or don't fragment and restrict the EDNS buffer size to 1280. I'm somewhat
> amazed that DNS-over-fragmented-UDP works as well as it does. See also
> https://www.usenix.org/conference/lisa12/dnssec-what-every-sysadmin-should-be
> -doing-keep-things-working

Which just moves the PMTUD problem to TCP which I can assure you
is also a problem.  Some of the ORG servers are configured like
this and guess what it does not work well.  Named now sets
IPV6_USE_MIN_MTU to 1 on TCP sockets to avoid this as well.

In theory this should impact on the MSS negotiation and the MTU for
the connection has been reduced to 1280.  Apple and FreeBSD (at
least get this wrong).  Bug reports have been filed with both vendors
as well as a kernel patch for FreeBSD.

In practice it results in fragmented TCP packets being sent but at
least you avoid PMTUD one way.

> Tony.
> -- 
> f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
> Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
> Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
> occasionally poor at first.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org