[dns-operations] For darpa.mil, EDNS buffer == 1232 is *too small*. :-(

Paul Vixie paul at redbarn.org
Tue Apr 21 07:00:29 UTC 2020 

On Tuesday, 21 April 2020 06:20:04 UTC Petr Špaček wrote:
> On 20. 04. 20 22:22, Viktor Dukhovni wrote:
> > On Mon, Apr 20, 2020 at 12:52:49PM -0700, Brian Somers wrote:
> >> ...
> >> At Cisco we allow up to 1410 bytes upstream and drop fragments.  We
> >> prefer IPv6 addresses when talking to authorities.  We’ve been doing
> >> this for years (except for a period between Feb 2019 and Aug 2019). 
> >> Zero customer complaints.> 
> > So perhaps the advice to default to 1232 should be revised:
> > ...
> 
> Please let's not jump to conclusions, especially because of single anecdote.

my own anecdotes are not singular, but your point is taken.

> As Knot Resolver developer I counter with another anecdote:
> We have experience with networks where ~ 1300 buffer was workable minimum
> and 1400 was already too much.

i hope you can say much more than this, about that.

> As for OpenDNS experience - I'm hesistant to generalize. According to
> https://indico.dns-oarc.net/event/33/contributions/751/attachments/724/1228/
> 20200201_DNSSEC_Recursive_Resolution_From_the_Ground_Up.pptx DO bit is sent
> out only since Sep'2018, and presumably from resolvers in data centers.

i understood the opendns team to say that they also used 1410 as the maximum 
buffer size in responding to downstream queries. perhaps they can expand here.

> Results would be very different for recursive resolver deployment deep in
> corporate networks/on the last mile.

that statement stretches the verb "would" too far. did you mean "could"? i 
think we can learn a lot from authoritative responses (how many are followed 
by retries or TCP or a complaint?) and recursive responses (same question). 

> DNS-over-TCP is mandatory to implement so please let's stop working it
> around.

+1. no part of this debate is for me an argument against mandated TCP and 
recommended DoT. those should be assumed on all timelines. however, that does 
not justify an arbitrary maximum response buffer size such as 1232. all of the 
math that leads to 1232 is unsuitable for DNS's use.

-- 
Paul

More information about the dns-operations mailing list