[dns-operations] How .org name server handle large DNS response?

Paul Vixie paul at redbarn.org
Mon Jan 14 16:32:02 UTC 2019

Florian Weimer wrote:
> * Paul Vixie:
> Why would anyone want to do that?  Fragmentation is broken.

i think it was put into the spec for a reason, and should be fixed.

> I might be somewhat sympathetic to the underlying goal if fragmentation
> had any value whatsoever, but I just don't see that.

fragmentation as defined for IPv6 required PMTUD. the goal of this dual 
complexity was to avoid "always send 1500" or worse "always send 1280". 
some end networks don't permit the AH header because it's insecure; many 
others don't ICMP6 because it's insecure.

well, as someone once told me, ARP is insecure, but not all subnets have 
one-bit or two-bit host fields. there are other ways to manage the risks 
of insecure protocols than by blocking them at the firewall.

if ATM's 53-byte cell size was considered absurdly small at 155MBit/sec, 
then 1500-byte packets on 100MBit/sec is even moreso.

a well engineered network would let me run jumbograms on my end-LAN and 
would take advantage of whatever PMTU the WAN could support.

if the only way V6 can be deployed is by throwing away every new feature 
it had except address size, then we're doing this all wrong.

P Vixie

More information about the dns-operations mailing list