[dns-operations] For darpa.mil, EDNS buffer == 1232 is *too small*. :-(

Viktor Dukhovni ietf-dane at dukhovni.org
Sun Apr 19 04:39:24 UTC 2020 

The DANE survey unbound resolver is presently configured to advertise an
EDNS UDP buffer size of 1232 bytes (to avoid UDP fragmentation problems
over IPv6).  With this buffer size (or indeed any buffer size below 1346
bytes) and the DO bit set to solicit DNSSEC signatures, queries for the
darpa.mil MX host TLSA records fail:

    * ns1.darpa.mil[192.5.18.195]
    * ns2.darpa.mil[192.5.18.70]

        ;; Truncated, retrying in TCP mode.

        ; dig +dnssec +norecur +bufsize=1345 +tries=1 +timeout=1 -t tlsa _25._tcp.mailgate3.darpa.mil
        ; (1 server found)
        ;; global options: +cmd
        ;; connection timed out; no servers could be reached

    * ns3.darpa.mil (nameserver unreachable):

        @158.63.250.6
        No response: https://dnsviz.net/d/_25._tcp.mailgate3.darpa.mil/Xpuadw/dnssec/

Increasing the EDNS buffer size to at least 1346 bytes, yields a non-truncated
answer from the first two servers, and obviates the need for TCP fallback:

        ; dig +dnssec +norecur +bufsize=1346 +tries=1 +timeout=1 -t tlsa _25._tcp.mailgate3.darpa.mil
        ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59808
        ;; flags: qr aa; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 1

        ;; OPT PSEUDOSECTION:
        ; EDNS: version: 0, flags: do; udp: 4096
        ;; QUESTION SECTION:
        ;_25._tcp.mailgate3.darpa.mil.  IN      TLSA
      
        ;; ANSWER SECTION:
        _25._tcp.mailgate3.darpa.mil. 86400 IN  TLSA    3 1 1 16324F20972821322D41CB0BD7E244A6C6A8AD7694C75D581321D897 A197446C
        _25._tcp.mailgate3.darpa.mil. 86400 IN  RRSIG   TLSA 8 5 86400 20200425023619 20200418022005 13593 darpa.mil. <sig>
        _25._tcp.mailgate3.darpa.mil. 86400 IN  RRSIG   TLSA 8 5 86400 20200425023619 20200418022005 38190 darpa.mil. <sig>

        ;; AUTHORITY SECTION:
        darpa.mil.              86400   IN      NS      ns1.darpa.mil.
        darpa.mil.              86400   IN      NS      ns3.darpa.mil.
        darpa.mil.              86400   IN      NS      ns2.darpa.mil.
        darpa.mil.              86400   IN      RRSIG   NS 8 2 86400 20200425220426 20200418210607 13593 darpa.mil. <sig>
        darpa.mil.              86400   IN      RRSIG   NS 8 2 86400 20200425220426 20200418210607 38190 darpa.mil. <sig>

        ;; Query time: 75 msec
        ;; SERVER: 192.5.18.195#53(192.5.18.195)
        ;; WHEN: Sun Apr 19 04:08:26 UTC 2020
        ;; MSG SIZE  rcvd: 1346

The real issue is of course that darpa.mil needs to have working TCP
DNS, but incidentally we see that smaller buffer sizes aren't always
safer, because not all DNS operators read the memo about DNS over TCP.

Is there any new information on whether something closer to 1400 is
generally safe also for IPv6?

-- 
    Viktor.

More information about the dns-operations mailing list