[dns-operations] How .org name server handle large DNS response?

Warren Kumari warren at kumari.net
Wed Dec 19 22:20:25 UTC 2018


On Wed, Dec 19, 2018 at 4:20 AM Davey Song(宋林健) <ljsong at biigroup.cn> wrote:

> Hi folks,
>
>
>
> I’m curious on how .org authoritative server handle large DNS response ?
> Is there any notable impact of IPv6 fragment issues on .org servers?
>
>
>
> I ask .org because .org generates large DNS response (1625 octets) when
> you dig dnskey org. +dnssec, which makes the issue more common.
>

The bit that confuses me about this is that Geoff Huston (who I trust) has
a  number of presentations showing that IPv6 fragmentation and large DNS
responses simply don't work -- e.g:
https://indico.dns-oarc.net/event/27/contributions/469/attachments/449/749/2017-09-29-xtn-hdrs-dns.pdf
E.g Slide 29 says "IPv6 Fragmentation Failure Rate: 38%". Geoff has a
history of being right, and I've listened to this presentation a few times,
know how the methodology works, etc. I've discussed these results with him
and he's sure they are right. These numbers also roughly correlate with
other people's data on fragmentation failures.

Joe Abley (who I also trust), and some other friends who I also trust work
at Afilias (who serve .org) -- and they say that they are not seeing
failure rates on UDP like this. I've also traveled with my laptop and
tested (on v6 networks with a local resolver and TCP blocked) and am not
seeing failures like those predicted.


So, what's going on here? Is this simply sample bias? Is the failover to
TCP saving us? Or the predominance of v4? What's actually keping .org
running (and I know that it *is* running :-))

W




>
>
> Is there Afilias people in the mailing list? Did you ever consider ATR
> (draft-song-atr-large-resp) for the issue? We need a talk.
>
>
>
> Best regards,
>
> Davey
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>


-- 
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
pants.
   ---maf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20181219/57bdb8be/attachment.html>


More information about the dns-operations mailing list