[dns-operations] For darpa.mil, EDNS buffer == 1232 is *too small*. :-(

Petr Špaček petr.spacek at nic.cz
Tue Apr 21 06:20:04 UTC 2020


On 20. 04. 20 22:22, Viktor Dukhovni wrote:
> On Mon, Apr 20, 2020 at 12:52:49PM -0700, Brian Somers wrote:
> 
>> On Apr 18, 2020, at 9:39 PM, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>>> Is there any new information on whether something closer to 1400 is
>>> generally safe also for IPv6?
>>
>> At Cisco we allow up to 1410 bytes upstream and drop fragments.  We prefer IPv6
>> addresses when talking to authorities.  We’ve been doing this for years (except for
>> a period between Feb 2019 and Aug 2019).  Zero customer complaints.
> 
> So perhaps the advice to default to 1232 should be revised:
> 
>     https://dnsflagday.net/2020/#dns-flag-day-2020
> 
> I see some movement in that direction, with the recommendation of 1220
> in:
> 
>     https://tools.ietf.org/html/draft-fujiwara-dnsop-avoid-fragmentation-00#section-3
> 
>        o  Full-service resolvers SHOULD set EDNS0 requestor's UDP payload
>           size to 1220.  (defined in [RFC4035] as minimum payload size)
> 
>        o  Authoritative servers and full-service resolvers SHOULD choose
>           EDNS0 responder's maximum payload size to 1220 (defined in
>           [RFC4035] as minimum payload size)
> 
> revised in -01/-02 to:
> 
>     https://tools.ietf.org/html/draft-fujiwara-dnsop-avoid-fragmentation-02#section-4
> 
>        o  [RFC4035] defines that "A security-aware name server MUST support
>           the EDNS0 message size extension, MUST support a message size of
>           at least 1220 octets".  Then, the smallest number of the maximum
>           DNS/UDP payload size is 1220.
> 
>        o  However, in practice, the smallest MTU witnessed in the
>           operational DNS community is 1500 octets.  The estimated size of a
>           DNS message's UDP headers, IP headers, IP options, and one or more
>           set of tunnel, IP-in-IP, VLAN, and virtual circuit headers, SHOULD
>           be 100 octets.  Then, the maximum DNS/UDP payload size may be
>           1400.
> 
> While darpa.mil still need to enable TCP, a more generous buffer size
> that avoids IPv6 issues will also avoid unnecessary and potentially even
> unavailable TCP fallback.  So I'm in favour of 1400 or 1410 (do we need
> more empirical evidence from other vantage points?) assuming those are
> also safe.
> 
> If the IPv6 obstacles are typically closer to the resolver than the
> authoritative server, just Cisco's experience may not be enough to make
> a definite conclusion.

Please let's not jump to conclusions, especially because of single anecdote.

As Knot Resolver developer I counter with another anecdote:
We have experience with networks where ~ 1300 buffer was workable minimum and 1400 was already too much.

As for OpenDNS experience - I'm hesistant to generalize. According to
https://indico.dns-oarc.net/event/33/contributions/751/attachments/724/1228/20200201_DNSSEC_Recursive_Resolution_From_the_Ground_Up.pptx
DO bit is sent out only since Sep'2018, and presumably from resolvers in data centers. 

Results would be very different for recursive resolver deployment deep in corporate networks/on the last mile.

DNS-over-TCP is mandatory to implement so please let's stop working it around.

-- 
Petr Špaček  @  CZ.NIC



More information about the dns-operations mailing list