[dns-operations] How .org name server handle large DNS response?

Florian Weimer fweimer at redhat.com
Thu Jan 3 12:55:10 UTC 2019


* Warren Kumari:

> The bit that confuses me about this is that Geoff Huston (who I trust)
> has a number of presentations showing that IPv6 fragmentation and
> large DNS responses simply don't work -- e.g:

> https://indico.dns-oarc.net/event/27/contributions/469/attachments/449/749/2017-09-29-xtn-hdrs-dns.pdf

> E.g Slide 29 says "IPv6 Fragmentation Failure Rate: 38%". Geoff has a
> history of being right, and I've listened to this presentation a few
> times, know how the methodology works, etc. I've discussed these
> results with him and he's sure they are right. These numbers also
> roughly correlate with other people's data on fragmentation failures.

This does not surprise me at all.  I've reported a potentially related
issue many years ago.  Back then, it was simply impossible to run a
fully compliant stateless UDP server on IPv6 because the protocol is too
broken for that.  It didn't matter because not many people were using
it, so the required state tables were small enough.  And of course
there's the IPv4 service if IPv6 traffic falls into an MTU blackhole.

I think nowadays, it should be possible to clamp the sending buffer size
to something like 1200 bytes (to leave some room for tunnels) and
configure the system so that it will never generate atomic fragments,
but I'm sure there are still people out there who claim that this breaks
IPv6.  (Theoretically, it should have been possible to generate atomic
fragments unconditionally, without any server state, but such packets
are discared by too many hosts and firewalls, so it's not a viable
option.)

Thanks,
Florian



More information about the dns-operations mailing list