[dns-operations] How .org name server handle large DNS response?

Paul Hoffman phoffman at proper.com
Thu Jan 3 17:01:03 UTC 2019

On 3 Jan 2019, at 8:41, Paul Vixie wrote:

> Florian Weimer wrote:
>> ...
>> I think nowadays, it should be possible to clamp the sending buffer 
>> size
>> to something like 1200 bytes (to leave some room for tunnels) and
>> configure the system so that it will never generate atomic fragments, 
>> ...
> i think that's the wrong approach. rather, we should alter the servers 
> so that all udp responses and perhaps all tcp segments are fragmented. 
> let those who think they have deployed ipv6 but who don't permit 
> fragmentation be the ones to do additional work -- not those whose 
> implementations are compliant and interoperable.
> middleboxes must receive truly bad service and miserable treatment, or 
> we will be their slaves forever. the 19 years of EDNS deployment 
> should have taught us that lesson irrevocably and unambiguously.
> we didn't move fast and we're not the ones breaking things.

A few major authoritative servers that always fragment would go a long 
way to fixing this problem the correct way, as PaulV suggests. If one of 
the vendors of auth server software had an "always fragment" setting, it 
would be easy to put on a very public "Flag Day 2: Fragmentation" event.

--Paul Hoffman

More information about the dns-operations mailing list