[dns-operations] Announcement - DNS flag day on 2019-02-01
Mark Andrews
marka at isc.org
Thu Jun 14 22:14:27 UTC 2018
No, a you just fragment at network MTU. The IETF even specified a setsockopt in the advanced socket API to tell the kernel to do that.
Named uses that on any response that could cause fragmentation is encapsulated over Ethernet. Named used to just set it but Geoff complained about “unnecessary” fragmentation between 1280 and 1500 byte UDP packets.
Named also drops TCP segment sizes similarly to reduce the probability of PMTUD occurring.
--
Mark Andrews
> On 15 Jun 2018, at 03:04, Florian Weimer <fw at deneb.enyo.de> wrote:
>
> * Shane Kerr:
>
>> Paul Vixie:
>>> i'd rather we broke everything that won't let edns through. the internet
>>> can't grow in avoidance-mode. we have to confront, too.
>>
>> I don't think the problem referred to here is EDNS, but rather large
>> packets.
>
> It's both. With some implementations, data loss due to fragmentation
> leads to fallback from EDNS, which again leads to DNSSEC validation
> failures due to signature stripping.
>
>> Are there even secure ways to establish PMTU on the Internet? Or if not
>> secure (as in "authenticated"), then ways that don't open operators up
>> to various ICMP-based attacks?
>
> Source addresses of ICMP packets cannot be validated. You can try to
> check the payload, but that could be predictable as well. It also
> requires keeping packets around after they have been sent.
>
> For IPv6, the DNS server needs to keep track of the PMTU to every
> client it sees if it wants to support a PMTU lower than the interface
> MTU. So it's not even possible to implement a simple stateless UDP
> server.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
More information about the dns-operations
mailing list