[dns-operations] G root pmtu?

Casey Deccio casey at deccio.net
Mon Apr 10 17:35:34 UTC 2017


> On Apr 10, 2017, at 8:53 AM, Wessels, Duane <dwessels at verisign.com> wrote:
> 
> Hi Randy,
> 
> I believe this is the archived DNSViz result that shows the problem you observed:
> 
> http://dnsviz.net/d/gn/WOp7lA/dnssec/
> 
> Since the size of the signed 'gn/DS' response is 366 bytes I'm skeptical that it was actually related to PMTU.  More likely a dropped packet for other reasons.  Subsequent tests of the domain don't show the issue.  For example:
> 
> http://dnsviz.net/d/gn/WOr2xQ/dnssec/
> 

Right - DNSViz tries to induce the cause of the problem by changing request parameters up after several timeouts to see if behavior changes.  While it's possible that it's hitting two different instances in the different tests (e.g., two different load balancer backends or two different anycast nodes) and only one of them has PMTU issues, it's also possible that requests to a single instance periodically time out, and the timeouts and responses happen to align with the diagnostic tests to indicate a PMTU error.  

For reference, in the default case DNSViz does something like this:

Timeout starts out at 1 second
After 1 response timeout
After 2 timeouts change timeout to 2 seconds
After 3 timeouts change timeout to 4 seconds
After 4 timeouts reduce udp payload size to 512 and change timeout to 1 second, and change source UDP port
After 5 timeouts change timeout to 2 seconds
After 6 timeouts clear DO flag and change source UDP port
After 7 timeouts disable EDNS and change source UDP port
After 8 timeouts give up

Casey






More information about the dns-operations mailing list